Bypass 2FA if Login with Proton (#1142)

* Bypass 2FA if Login with Proton

* Fix formatting of template

app/auth/views/login_utils.py

@@ -9,38 +9,40 @@ from app.log import LOG
 from app.models import Referral
 
 
-def after_login(user, next_url):
+def after_login(user, next_url, login_from_proton: bool = False):
     """
     Redirect to the correct page after login.
+    If the user is logged in with Proton, do not look at fido nor otp
     If user enables MFA: redirect user to MFA page
     Otherwise redirect to dashboard page if no next_url
     """
-    if user.fido_enabled():
-        # Use the same session for FIDO so that we can easily
-        # switch between these two 2FA option
-        session[MFA_USER_ID] = user.id
-        if next_url:
-            return redirect(url_for("auth.fido", next=next_url))
-        else:
-            return redirect(url_for("auth.fido"))
-    elif user.enable_otp:
-        session[MFA_USER_ID] = user.id
-        if next_url:
-            return redirect(url_for("auth.mfa", next=next_url))
-        else:
-            return redirect(url_for("auth.mfa"))
-    else:
-        LOG.d("log user %s in", user)
-        login_user(user)
-        session["sudo_time"] = int(time())
+    if not login_from_proton:
+        if user.fido_enabled():
+            # Use the same session for FIDO so that we can easily
+            # switch between these two 2FA option
+            session[MFA_USER_ID] = user.id
+            if next_url:
+                return redirect(url_for("auth.fido", next=next_url))
+            else:
+                return redirect(url_for("auth.fido"))
+        elif user.enable_otp:
+            session[MFA_USER_ID] = user.id
+            if next_url:
+                return redirect(url_for("auth.mfa", next=next_url))
+            else:
+                return redirect(url_for("auth.mfa"))
 
-        # User comes to login page from another page
-        if next_url:
-            LOG.d("redirect user to %s", next_url)
-            return redirect(next_url)
-        else:
-            LOG.d("redirect user to dashboard")
-            return redirect(url_for("dashboard.index"))
+    LOG.d("log user %s in", user)
+    login_user(user)
+    session["sudo_time"] = int(time())
+
+    # User comes to login page from another page
+    if next_url:
+        LOG.d("redirect user to %s", next_url)
+        return redirect(next_url)
+    else:
+        LOG.d("redirect user to dashboard")
+        return redirect(url_for("dashboard.index"))
 
 
 # name of the cookie that stores the referral code

app/auth/views/proton.py

@@ -137,7 +137,7 @@ def proton_callback():
         return redirect(url_for("auth.login"))
 
     if res.redirect:
-        return after_login(res.user, res.redirect)
+        return after_login(res.user, res.redirect, login_from_proton=True)
 
     next_url = session.get("oauth_next")
-    return after_login(res.user, next_url)
+    return after_login(res.user, next_url, login_from_proton=True)

templates/dashboard/enter_sudo.html

@@ -19,9 +19,7 @@
       {% if connect_with_proton %}
 
         <div class="my-3">
-          <p>
-            Alternatively you can use your Proton credentials to ensure it's you.
-          </p>
+          <p>Alternatively you can use your Proton credentials to ensure it's you.</p>
         </div>
         <a class="btn btn-primary btn-block mt-2 proton-button w-25"
            href="{{ url_for("auth.proton_login", next=next) }}">