diff --git a/app/dashboard/templates/dashboard/mfa_cancel.html b/app/dashboard/templates/dashboard/mfa_cancel.html index 3a9ae226..7f198a9e 100644 --- a/app/dashboard/templates/dashboard/mfa_cancel.html +++ b/app/dashboard/templates/dashboard/mfa_cancel.html @@ -9,19 +9,14 @@

Two Factor Authentication

-

- To remove 2FA please enter your 2FA code from the authenticator app. -

+ +
+ Disabling TOTP reduces the security of your account, please make sure to re-activate it later + or use WebAuthn (FIDO). +
- {{ otp_token_form.csrf_token }} - -
Token
-
The 6-digit 2FA code.
- - {{ otp_token_form.token(class="form-control", autofocus="true") }} - {{ render_field_errors(otp_token_form.token) }} - +
diff --git a/app/dashboard/templates/dashboard/mfa_setup.html b/app/dashboard/templates/dashboard/mfa_setup.html index 8f417739..ce682c01 100644 --- a/app/dashboard/templates/dashboard/mfa_setup.html +++ b/app/dashboard/templates/dashboard/mfa_setup.html @@ -11,7 +11,7 @@ {% block default_content %}
-

Two Factor Authentication

+

Two Factor Authentication - TOTP

You will need to use a 2FA application like Google Authenticator or Authy on your phone or PC and scan the following QR Code:

diff --git a/app/dashboard/views/mfa_cancel.py b/app/dashboard/views/mfa_cancel.py index 66c36c2a..bd9da45a 100644 --- a/app/dashboard/views/mfa_cancel.py +++ b/app/dashboard/views/mfa_cancel.py @@ -1,17 +1,10 @@ -import pyotp -from flask import render_template, flash, redirect, url_for +from flask import render_template, flash, redirect, url_for, request from flask_login import login_required, current_user -from flask_wtf import FlaskForm -from wtforms import StringField, validators from app.dashboard.base import dashboard_bp +from app.dashboard.views.enter_sudo import sudo_required from app.extensions import db from app.models import RecoveryCode -from app.dashboard.views.enter_sudo import sudo_required - - -class OtpTokenForm(FlaskForm): - token = StringField("Token", validators=[validators.DataRequired()]) @dashboard_bp.route("/mfa_cancel", methods=["GET", "POST"]) @@ -22,24 +15,17 @@ def mfa_cancel(): flash("you don't have MFA enabled", "warning") return redirect(url_for("dashboard.index")) - otp_token_form = OtpTokenForm() - totp = pyotp.TOTP(current_user.otp_secret) + # user cancels TOTP + if request.method == "POST": + current_user.enable_otp = False + current_user.otp_secret = None + db.session.commit() - if otp_token_form.validate_on_submit(): - token = otp_token_form.token.data + # user does not have any 2FA enabled left, delete all recovery codes + if not current_user.two_factor_authentication_enabled(): + RecoveryCode.empty(current_user) - if totp.verify(token): - current_user.enable_otp = False - current_user.otp_secret = None - db.session.commit() + flash("TOTP is now disabled", "warning") + return redirect(url_for("dashboard.index")) - # user does not have any 2FA enabled left, delete all recovery codes - if not current_user.two_factor_authentication_enabled(): - RecoveryCode.empty(current_user) - - flash("MFA is now disabled", "warning") - return redirect(url_for("dashboard.index")) - else: - flash("Incorrect token", "warning") - - return render_template("dashboard/mfa_cancel.html", otp_token_form=otp_token_form) + return render_template("dashboard/mfa_cancel.html")