app-MAIL-temp/app/dashboard/views/mfa_cancel.py

from flask import render_template, flash, redirect, url_for, request
from flask_login import login_required, current_user

from app.dashboard.base import dashboard_bp
from app.dashboard.views.enter_sudo import sudo_required
from app.db import Session
from app.models import RecoveryCode
from app.utils import CSRFValidationForm


@dashboard_bp.route("/mfa_cancel", methods=["GET", "POST"])
@login_required
@sudo_required
def mfa_cancel():
    if not current_user.enable_otp:
        flash("you don't have MFA enabled", "warning")
        return redirect(url_for("dashboard.index"))

    csrf_form = CSRFValidationForm()

    # user cancels TOTP
    if request.method == "POST":
        if not csrf_form.validate():
            flash("Invalid request", "warning")
            return redirect(request.url)
        current_user.enable_otp = False
        current_user.otp_secret = None
        Session.commit()

        # user does not have any 2FA enabled left, delete all recovery codes
        if not current_user.two_factor_authentication_enabled():
            RecoveryCode.empty(current_user)

        flash("TOTP is now disabled", "warning")
        return redirect(url_for("dashboard.index"))

    return render_template("dashboard/mfa_cancel.html", csrf_form=csrf_form)
do not require user to re-enter TOTP code when cancelling TOTP 2020-08-05 12:30:56 +02:00			`from flask import render_template, flash, redirect, url_for, request`
User who has enabled MFA can cancel MFA 2019-12-29 15:10:40 +01:00			`from flask_login import login_required, current_user`

			`from app.dashboard.base import dashboard_bp`
do not require user to re-enter TOTP code when cancelling TOTP 2020-08-05 12:30:56 +02:00			`from app.dashboard.views.enter_sudo import sudo_required`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`from app.db import Session`
redirect user to recovery codes page after MFA setup. Remove all recovery codes when user is no more MFA. 2020-05-17 10:11:38 +02:00			`from app.models import RecoveryCode`
Fix: Add CSRF validation to api key management page (#1523) * Fix: Add CSRF validation to api key management page * Added csrf to subdomain creation * Added CSRF to totp cancel Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> 2023-01-12 12:34:47 +01:00			`from app.utils import CSRFValidationForm`
User who has enabled MFA can cancel MFA 2019-12-29 15:10:40 +01:00

			`@dashboard_bp.route("/mfa_cancel", methods=["GET", "POST"])`
			`@login_required`
sudo mode 2020-05-18 11:14:40 +02:00			`@sudo_required`
User who has enabled MFA can cancel MFA 2019-12-29 15:10:40 +01:00			`def mfa_cancel():`
			`if not current_user.enable_otp:`
			`flash("you don't have MFA enabled", "warning")`
			`return redirect(url_for("dashboard.index"))`

Fix: Add CSRF validation to api key management page (#1523) * Fix: Add CSRF validation to api key management page * Added csrf to subdomain creation * Added CSRF to totp cancel Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> 2023-01-12 12:34:47 +01:00			`csrf_form = CSRFValidationForm()`

do not require user to re-enter TOTP code when cancelling TOTP 2020-08-05 12:30:56 +02:00			`# user cancels TOTP`
			`if request.method == "POST":`
Fix: Add CSRF validation to api key management page (#1523) * Fix: Add CSRF validation to api key management page * Added csrf to subdomain creation * Added CSRF to totp cancel Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> 2023-01-12 12:34:47 +01:00			`if not csrf_form.validate():`
			`flash("Invalid request", "warning")`
			`return redirect(request.url)`
do not require user to re-enter TOTP code when cancelling TOTP 2020-08-05 12:30:56 +02:00			`current_user.enable_otp = False`
			`current_user.otp_secret = None`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
User who has enabled MFA can cancel MFA 2019-12-29 15:10:40 +01:00
do not require user to re-enter TOTP code when cancelling TOTP 2020-08-05 12:30:56 +02:00			`# user does not have any 2FA enabled left, delete all recovery codes`
			`if not current_user.two_factor_authentication_enabled():`
			`RecoveryCode.empty(current_user)`
User who has enabled MFA can cancel MFA 2019-12-29 15:10:40 +01:00
do not require user to re-enter TOTP code when cancelling TOTP 2020-08-05 12:30:56 +02:00			`flash("TOTP is now disabled", "warning")`
			`return redirect(url_for("dashboard.index"))`
User who has enabled MFA can cancel MFA 2019-12-29 15:10:40 +01:00
Fix: Add CSRF validation to api key management page (#1523) * Fix: Add CSRF validation to api key management page * Added csrf to subdomain creation * Added CSRF to totp cancel Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> 2023-01-12 12:34:47 +01:00			`return render_template("dashboard/mfa_cancel.html", csrf_form=csrf_form)`