redirect user to recovery codes page after MFA setup. Remove all recovery codes when user is no more MFA.

2020-05-17 10:11:38 +02:00 · 2020-05-17 10:11:38 +02:00 · 043ecd4fac
parent 3f7842ed3e
commit 043ecd4fac
4 changed files with 15 additions and 3 deletions
--- a/app/dashboard/views/fido_cancel.py
+++ b/app/dashboard/views/fido_cancel.py
@ -5,6 +5,7 @@ from wtforms import PasswordField, validators

 from app.dashboard.base import dashboard_bp
 from app.extensions import db
+from app.models import RecoveryCode


 class LoginForm(FlaskForm):
@ -29,6 +30,11 @@ def fido_cancel():
            current_user.fido_sign_count = None
            current_user.fido_credential_id = None
            db.session.commit()
+
+            # user does not have any 2FA enabled left, delete all recovery codes
+            if not current_user.two_factor_authentication_enabled():
+                RecoveryCode.empty(current_user)
+
            flash("We've unlinked your security key.", "success")
            return redirect(url_for("dashboard.index"))
        else:
--- a/app/dashboard/views/fido_setup.py
+++ b/app/dashboard/views/fido_setup.py
@ -68,8 +68,7 @@ def fido_setup():
        db.session.commit()

        flash("Security key has been activated", "success")
-
-        return redirect(url_for("dashboard.index"))
+        return redirect(url_for("dashboard.recovery_code_route"))

    # Prepare information for key registration process
    fido_uuid = str(uuid.uuid4())
--- a/app/dashboard/views/mfa_cancel.py
+++ b/app/dashboard/views/mfa_cancel.py
@ -6,6 +6,7 @@ from wtforms import StringField, validators

 from app.dashboard.base import dashboard_bp
 from app.extensions import db
+from app.models import RecoveryCode


 class OtpTokenForm(FlaskForm):
@ -29,6 +30,11 @@ def mfa_cancel():
            current_user.enable_otp = False
            current_user.otp_secret = None
            db.session.commit()
+
+            # user does not have any 2FA enabled left, delete all recovery codes
+            if not current_user.two_factor_authentication_enabled():
+                RecoveryCode.empty(current_user)
+
            flash("MFA is now disabled", "warning")
            return redirect(url_for("dashboard.index"))
        else:
--- a/app/dashboard/views/mfa_setup.py
+++ b/app/dashboard/views/mfa_setup.py
@ -36,7 +36,8 @@ def mfa_setup():
            current_user.enable_otp = True
            db.session.commit()
            flash("MFA has been activated", "success")
-            return redirect(url_for("dashboard.index"))
+
+            return redirect(url_for("dashboard.recovery_code_route"))
        else:
            flash("Incorrect token", "warning")