app-MAIL-temp/app/api/views/auth_mfa.py

import pyotp
from flask import jsonify, request
from flask_login import login_user
from itsdangerous import Signer

from app.api.base import api_bp
from app.config import FLASK_SECRET
from app.db import Session
from app.email_utils import send_invalid_totp_login_email
from app.log import LOG
from app.models import User, ApiKey


@api_bp.route("/auth/mfa", methods=["POST"])
def auth_mfa():
    """
    Validate the OTP Token
    Input:
        mfa_token: OTP token that user enters
        mfa_key: MFA key obtained in previous auth request, e.g. /api/auth/login
        device: the device name, used to create an ApiKey associated with this device
    Output:
        200 and user info containing:
        {
            name: "John Wick",
            api_key: "a long string",
            email: "user email"
        }

    """
    data = request.get_json()
    if not data:
        return jsonify(error="request body cannot be empty"), 400

    mfa_token = data.get("mfa_token")
    mfa_key = data.get("mfa_key")
    device = data.get("device")

    s = Signer(FLASK_SECRET)
    try:
        user_id = int(s.unsign(mfa_key))
    except Exception:
        return jsonify(error="Invalid mfa_key"), 400

    user = User.get(user_id)

    if not user:
        return jsonify(error="Invalid mfa_key"), 400
    elif not user.enable_otp:
        return (
            jsonify(error="This endpoint should only be used by user who enables MFA"),
            400,
        )

    totp = pyotp.TOTP(user.otp_secret)
    if not totp.verify(mfa_token):
        send_invalid_totp_login_email(user, "TOTP")
        return jsonify(error="Wrong TOTP Token"), 400

    ret = {"name": user.name or "", "email": user.email}

    api_key = ApiKey.get_by(user_id=user.id, name=device)
    if not api_key:
        LOG.d("create new api key for %s and %s", user, device)
        api_key = ApiKey.create(user.id, device)
        Session.commit()

    ret["api_key"] = api_key.code

    # so user is logged in automatically on the web
    login_user(user)

    return jsonify(**ret), 200
add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`import pyotp`
			`from flask import jsonify, request`
login user in api auth endpoints 2020-07-04 10:39:38 +02:00			`from flask_login import login_user`
optimize import in all files 2020-04-25 11:30:09 +02:00			`from itsdangerous import Signer`
add /api/auth/mfa 2020-01-20 15:00:56 +01:00
			`from app.api.base import api_bp`
			`from app.config import FLASK_SECRET`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`from app.db import Session`
Implement API notifications and use a function in email_utils 2022-01-20 18:42:11 +01:00			`from app.email_utils import send_invalid_totp_login_email`
reuse ApiKey if same device 2020-02-05 12:05:26 +01:00			`from app.log import LOG`
add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`from app.models import User, ApiKey`


			`@api_bp.route("/auth/mfa", methods=["POST"])`
			`def auth_mfa():`
			`"""`
			`Validate the OTP Token`
			`Input:`
			`mfa_token: OTP token that user enters`
			`mfa_key: MFA key obtained in previous auth request, e.g. /api/auth/login`
			`device: the device name, used to create an ApiKey associated with this device`
			`Output:`
			`200 and user info containing:`
			`{`
			`name: "John Wick",`
return user email in /api/auth/mfa 2020-06-09 17:20:37 +02:00			`api_key: "a long string",`
			`email: "user email"`
add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`}`

			`"""`
			`data = request.get_json()`
			`if not data:`
			`return jsonify(error="request body cannot be empty"), 400`

			`mfa_token = data.get("mfa_token")`
			`mfa_key = data.get("mfa_key")`
			`device = data.get("device")`

			`s = Signer(FLASK_SECRET)`
			`try:`
			`user_id = int(s.unsign(mfa_key))`
Handle unsign can generate other exceptions 2020-03-09 09:17:40 +01:00			`except Exception:`
add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`return jsonify(error="Invalid mfa_key"), 400`

			`user = User.get(user_id)`

			`if not user:`
			`return jsonify(error="Invalid mfa_key"), 400`
			`elif not user.enable_otp:`
			`return (`
			`jsonify(error="This endpoint should only be used by user who enables MFA"),`
			`400,`
			`)`

			`totp = pyotp.TOTP(user.otp_secret)`
			`if not totp.verify(mfa_token):`
Implement API notifications and use a function in email_utils 2022-01-20 18:42:11 +01:00			`send_invalid_totp_login_email(user, "TOTP")`
add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`return jsonify(error="Wrong TOTP Token"), 400`

remove the "Hi {name}" from email template 2021-01-11 10:22:39 +01:00			`ret = {"name": user.name or "", "email": user.email}`
add /api/auth/mfa 2020-01-20 15:00:56 +01:00
reuse ApiKey if same device 2020-02-05 12:05:26 +01:00			`api_key = ApiKey.get_by(user_id=user.id, name=device)`
			`if not api_key:`
			`LOG.d("create new api key for %s and %s", user, device)`
			`api_key = ApiKey.create(user.id, device)`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
reuse ApiKey if same device 2020-02-05 12:05:26 +01:00
add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`ret["api_key"] = api_key.code`

login user in api auth endpoints 2020-07-04 10:39:38 +02:00			`# so user is logged in automatically on the web`
			`login_user(user)`

add /api/auth/mfa 2020-01-20 15:00:56 +01:00			`return jsonify(**ret), 200`