do not require user to re-enter TOTP code when cancelling TOTP

2020-08-05 12:30:56 +02:00 · 2020-08-05 12:30:56 +02:00 · 1f0ef13ff2
parent f17608df50
commit 1f0ef13ff2
3 changed files with 20 additions and 39 deletions
--- a/app/dashboard/templates/dashboard/mfa_cancel.html
+++ b/app/dashboard/templates/dashboard/mfa_cancel.html
@ -9,19 +9,14 @@
  <div class="card">
    <div class="card-body">
      <h1 class="h2">Two Factor Authentication</h1>
-      <p>
-        To remove 2FA please enter your 2FA code from the authenticator app.
-      </p>
+
+      <div>
+        Disabling TOTP reduces the security of your account, please make sure to re-activate it later
+        or use WebAuthn (FIDO).
+      </div>

      <form method="post">
-        {{ otp_token_form.csrf_token }}
-
-        <div class="font-weight-bold mt-5">Token</div>
-        <div class="small-text">The 6-digit 2FA code.</div>
-
-        {{ otp_token_form.token(class="form-control", autofocus="true") }}
-        {{ render_field_errors(otp_token_form.token) }}
-        <button class="btn btn-lg btn-danger mt-2">Remove 2FA</button>
+        <button class="btn btn-danger mt-2">Disable TOTP</button>
      </form>
    </div>

--- a/app/dashboard/templates/dashboard/mfa_setup.html
+++ b/app/dashboard/templates/dashboard/mfa_setup.html
@ -11,7 +11,7 @@
 {% block default_content %}
  <div class="card">
    <div class="card-body">
-      <h1 class="h3">Two Factor Authentication</h1>
+      <h1 class="h3">Two Factor Authentication - TOTP</h1>
      <p>You will need to use a 2FA application like Google Authenticator or Authy on your phone or PC and scan the following QR Code:
      </p>

--- a/app/dashboard/views/mfa_cancel.py
+++ b/app/dashboard/views/mfa_cancel.py
@ -1,17 +1,10 @@
-import pyotp
-from flask import render_template, flash, redirect, url_for
+from flask import render_template, flash, redirect, url_for, request
 from flask_login import login_required, current_user
-from flask_wtf import FlaskForm
-from wtforms import StringField, validators

 from app.dashboard.base import dashboard_bp
+from app.dashboard.views.enter_sudo import sudo_required
 from app.extensions import db
 from app.models import RecoveryCode
-from app.dashboard.views.enter_sudo import sudo_required
-
-
-class OtpTokenForm(FlaskForm):
-    token = StringField("Token", validators=[validators.DataRequired()])


@dashboard_bp.route("/mfa_cancel", methods=["GET", "POST"])
@ -22,24 +15,17 @@ def mfa_cancel():
        flash("you don't have MFA enabled", "warning")
        return redirect(url_for("dashboard.index"))

-    otp_token_form = OtpTokenForm()
-    totp = pyotp.TOTP(current_user.otp_secret)
+    # user cancels TOTP
+    if request.method == "POST":
+        current_user.enable_otp = False
+        current_user.otp_secret = None
+        db.session.commit()

-    if otp_token_form.validate_on_submit():
-        token = otp_token_form.token.data
+        # user does not have any 2FA enabled left, delete all recovery codes
+        if not current_user.two_factor_authentication_enabled():
+            RecoveryCode.empty(current_user)

-        if totp.verify(token):
-            current_user.enable_otp = False
-            current_user.otp_secret = None
-            db.session.commit()
+        flash("TOTP is now disabled", "warning")
+        return redirect(url_for("dashboard.index"))

-            # user does not have any 2FA enabled left, delete all recovery codes
-            if not current_user.two_factor_authentication_enabled():
-                RecoveryCode.empty(current_user)
-
-            flash("MFA is now disabled", "warning")
-            return redirect(url_for("dashboard.index"))
-        else:
-            flash("Incorrect token", "warning")
-
-    return render_template("dashboard/mfa_cancel.html", otp_token_form=otp_token_form)
+    return render_template("dashboard/mfa_cancel.html")