app-MAIL-temp/app/dashboard/views/fido_setup.py

import json
import secrets
import uuid

import webauthn
from flask import render_template, flash, redirect, url_for, session
from flask_login import login_required, current_user
from flask_wtf import FlaskForm
from wtforms import StringField, HiddenField, validators

from app.config import RP_ID, URL
from app.dashboard.base import dashboard_bp
from app.dashboard.views.enter_sudo import sudo_required
from app.db import Session
from app.log import LOG
from app.models import Fido, RecoveryCode


class FidoTokenForm(FlaskForm):
    key_name = StringField("key_name", validators=[validators.DataRequired()])
    sk_assertion = HiddenField("sk_assertion", validators=[validators.DataRequired()])


@dashboard_bp.route("/fido_setup", methods=["GET", "POST"])
@login_required
@sudo_required
def fido_setup():
    if current_user.fido_uuid is not None:
        fidos = Fido.filter_by(uuid=current_user.fido_uuid).all()
    else:
        fidos = []

    fido_token_form = FidoTokenForm()

    # Handling POST requests
    if fido_token_form.validate_on_submit():
        try:
            sk_assertion = json.loads(fido_token_form.sk_assertion.data)
        except Exception:
            flash("Key registration failed. Error: Invalid Payload", "warning")
            return redirect(url_for("dashboard.index"))

        fido_uuid = session["fido_uuid"]
        challenge = session["fido_challenge"]

        fido_reg_response = webauthn.WebAuthnRegistrationResponse(
            RP_ID,
            URL,
            sk_assertion,
            challenge,
            trusted_attestation_cert_required=False,
            none_attestation_permitted=True,
        )

        try:
            fido_credential = fido_reg_response.verify()
        except Exception as e:
            LOG.w(f"An error occurred in WebAuthn registration process: {e}")
            flash("Key registration failed.", "warning")
            return redirect(url_for("dashboard.index"))

        if current_user.fido_uuid is None:
            current_user.fido_uuid = fido_uuid
            Session.flush()

        Fido.create(
            credential_id=str(fido_credential.credential_id, "utf-8"),
            uuid=fido_uuid,
            public_key=str(fido_credential.public_key, "utf-8"),
            sign_count=fido_credential.sign_count,
            name=fido_token_form.key_name.data,
            user_id=current_user.id,
        )
        Session.commit()

        LOG.d(
            f"credential_id={str(fido_credential.credential_id, 'utf-8')} added for {fido_uuid}"
        )

        flash("Security key has been activated", "success")
        recovery_codes = RecoveryCode.generate(current_user)
        return render_template(
            "dashboard/recovery_code.html", recovery_codes=recovery_codes
        )

    # Prepare information for key registration process
    fido_uuid = (
        str(uuid.uuid4()) if current_user.fido_uuid is None else current_user.fido_uuid
    )
    challenge = secrets.token_urlsafe(32)

    credential_create_options = webauthn.WebAuthnMakeCredentialOptions(
        challenge,
        "SimpleLogin",
        RP_ID,
        fido_uuid,
        current_user.email,
        current_user.name if current_user.name else current_user.email,
        False,
        attestation="none",
        user_verification="discouraged",
    )

    # Don't think this one should be used, but it's not configurable by arguments
    # https://www.w3.org/TR/webauthn/#sctn-location-extension
    registration_dict = credential_create_options.registration_dict
    del registration_dict["extensions"]["webauthn.loc"]

    # Prevent user from adding duplicated keys
    for fido in fidos:
        registration_dict["excludeCredentials"].append(
            {
                "type": "public-key",
                "id": fido.credential_id,
                "transports": ["usb", "nfc", "ble", "internal"],
            }
        )

    session["fido_uuid"] = fido_uuid
    session["fido_challenge"] = challenge.rstrip("=")

    return render_template(
        "dashboard/fido_setup.html",
        fido_token_form=fido_token_form,
        credential_create_options=registration_dict,
    )
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`import json`
			`import secrets`
optimize import 2020-05-07 17:49:29 +02:00			`import uuid`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00
optimize import 2020-05-07 17:49:29 +02:00			`import webauthn`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`from flask import render_template, flash, redirect, url_for, session`
			`from flask_login import login_required, current_user`
			`from flask_wtf import FlaskForm`
named key 2020-05-18 11:55:41 +02:00			`from wtforms import StringField, HiddenField, validators`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00
optimize import 2020-05-07 17:49:29 +02:00			`from app.config import RP_ID, URL`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`from app.dashboard.base import dashboard_bp`
optimize import 2020-10-15 16:45:28 +02:00			`from app.dashboard.views.enter_sudo import sudo_required`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`from app.db import Session`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`from app.log import LOG`
Rename FIDO->Fido 2020-05-18 22:54:05 +02:00			`from app.models import Fido, RecoveryCode`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00
black 2020-05-18 11:15:52 +02:00
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`class FidoTokenForm(FlaskForm):`
named key 2020-05-18 11:55:41 +02:00			`key_name = StringField("key_name", validators=[validators.DataRequired()])`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`sk_assertion = HiddenField("sk_assertion", validators=[validators.DataRequired()])`


			`@dashboard_bp.route("/fido_setup", methods=["GET", "POST"])`
			`@login_required`
sudo mode 2020-05-18 11:14:40 +02:00			`@sudo_required`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`def fido_setup():`
more setup 2020-05-18 09:01:27 +02:00			`if current_user.fido_uuid is not None:`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`fidos = Fido.filter_by(uuid=current_user.fido_uuid).all()`
more setup 2020-05-18 09:01:27 +02:00			`else:`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`fidos = []`
DB & Setup ready for multi-keys 2020-05-18 07:05:37 +02:00
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`fido_token_form = FidoTokenForm()`
Key registration (Backend) 2020-05-05 10:58:42 +02:00
			`# Handling POST requests`
			`if fido_token_form.validate_on_submit():`
			`try:`
			`sk_assertion = json.loads(fido_token_form.sk_assertion.data)`
linting 2020-12-06 22:05:13 +01:00			`except Exception:`
Black formatted 2020-05-07 11:53:28 +02:00			`flash("Key registration failed. Error: Invalid Payload", "warning")`
Key registration (Backend) 2020-05-05 10:58:42 +02:00			`return redirect(url_for("dashboard.index"))`
Black formatted 2020-05-07 11:53:28 +02:00
			`fido_uuid = session["fido_uuid"]`
			`challenge = session["fido_challenge"]`
Key registration (Backend) 2020-05-05 10:58:42 +02:00
			`fido_reg_response = webauthn.WebAuthnRegistrationResponse(`
Make RP_ID a constant 2020-05-07 11:33:24 +02:00			`RP_ID,`
fix SITE_URL 2020-05-07 14:34:17 +02:00			`URL,`
Key registration (Backend) 2020-05-05 10:58:42 +02:00			`sk_assertion,`
			`challenge,`
Black formatted 2020-05-07 11:53:28 +02:00			`trusted_attestation_cert_required=False,`
			`none_attestation_permitted=True,`
			`)`
Key registration (Backend) 2020-05-05 10:58:42 +02:00
			`try:`
			`fido_credential = fido_reg_response.verify()`
			`except Exception as e:`
reformat 2021-09-08 11:29:55 +02:00			`LOG.w(f"An error occurred in WebAuthn registration process: {e}")`
Black formatted 2020-05-07 11:53:28 +02:00			`flash("Key registration failed.", "warning")`
Key registration (Backend) 2020-05-05 10:58:42 +02:00			`return redirect(url_for("dashboard.index"))`
black 2020-05-18 09:06:24 +02:00
more setup 2020-05-18 09:01:27 +02:00			`if current_user.fido_uuid is None:`
			`current_user.fido_uuid = fido_uuid`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.flush()`
more setup 2020-05-18 09:01:27 +02:00
Rename FIDO->Fido 2020-05-18 22:54:05 +02:00			`Fido.create(`
black 2020-05-18 09:06:24 +02:00			`credential_id=str(fido_credential.credential_id, "utf-8"),`
			`uuid=fido_uuid,`
			`public_key=str(fido_credential.public_key, "utf-8"),`
			`sign_count=fido_credential.sign_count,`
named key 2020-05-18 11:55:41 +02:00			`name=fido_token_form.key_name.data,`
set Fido.user_id 2021-11-22 15:57:51 +01:00			`user_id=current_user.id,`
more setup 2020-05-18 09:01:27 +02:00			`)`
do not use flask-sqlalchemy - add __tablename__ for all models - use sa and orm instead of db - rollback all changes in tests - remove session in @app.teardown_appcontext 2021-10-12 14:36:47 +02:00			`Session.commit()`
Key registration (Backend) 2020-05-05 10:58:42 +02:00
black 2020-05-18 09:06:24 +02:00			`LOG.d(`
			`f"credential_id={str(fido_credential.credential_id, 'utf-8')} added for {fido_uuid}"`
			`)`
more setup 2020-05-18 09:01:27 +02:00
Key registration (Backend) 2020-05-05 10:58:42 +02:00			`flash("Security key has been activated", "success")`
Display recovery codes for mfa only once (#1317) * Recovery codes can only be shown after adding a 2FA code and cannot be seen afterwards * Added recovery codes fix * Updated models and script * Formatting * Format * Added base code * Updated wording * Set the config by default Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> 2022-10-03 12:32:45 +02:00			`recovery_codes = RecoveryCode.generate(current_user)`
			`return render_template(`
			`"dashboard/recovery_code.html", recovery_codes=recovery_codes`
			`)`
Black formatted 2020-05-07 11:53:28 +02:00
typo 'infomation' 2020-05-07 11:31:42 +02:00			`# Prepare information for key registration process`
black 2020-05-18 09:06:24 +02:00			`fido_uuid = (`
			`str(uuid.uuid4()) if current_user.fido_uuid is None else current_user.fido_uuid`
			`)`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`challenge = secrets.token_urlsafe(32)`

			`credential_create_options = webauthn.WebAuthnMakeCredentialOptions(`
Black formatted 2020-05-07 11:53:28 +02:00			`challenge,`
			`"SimpleLogin",`
			`RP_ID,`
			`fido_uuid,`
			`current_user.email,`
:bug: WebAuthn bug fixes - User may not have name - user_verification should be discouraged to work on iOS 2020-05-08 23:21:38 +02:00			`current_user.name if current_user.name else current_user.email,`
Black formatted 2020-05-07 11:53:28 +02:00			`False,`
			`attestation="none",`
:bug: WebAuthn bug fixes - User may not have name - user_verification should be discouraged to work on iOS 2020-05-08 23:21:38 +02:00			`user_verification="discouraged",`
Black formatted 2020-05-07 11:53:28 +02:00			`)`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00
			`# Don't think this one should be used, but it's not configurable by arguments`
			`# https://www.w3.org/TR/webauthn/#sctn-location-extension`
			`registration_dict = credential_create_options.registration_dict`
Black formatted 2020-05-07 11:53:28 +02:00			`del registration_dict["extensions"]["webauthn.loc"]`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00
more setup 2020-05-18 09:01:27 +02:00			`# Prevent user from adding duplicated keys`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`for fido in fidos:`
black 2020-05-18 09:06:24 +02:00			`registration_dict["excludeCredentials"].append(`
			`{`
			`"type": "public-key",`
fido_model -> fidos 2020-05-18 22:55:38 +02:00			`"id": fido.credential_id,`
black 2020-05-18 09:06:24 +02:00			`"transports": ["usb", "nfc", "ble", "internal"],`
			`}`
			`)`
DB & Setup ready for multi-keys 2020-05-18 07:05:37 +02:00
Black formatted 2020-05-07 11:53:28 +02:00			`session["fido_uuid"] = fido_uuid`
			`session["fido_challenge"] = challenge.rstrip("=")`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00
			`return render_template(`
Black formatted 2020-05-07 11:53:28 +02:00			`"dashboard/fido_setup.html",`
			`fido_token_form=fido_token_form,`
			`credential_create_options=registration_dict,`
Security key setup page (front-end) 2020-05-05 10:32:49 +02:00			`)`