From 4208ba379f81c6569bb288ee160c75543dd7e786 Mon Sep 17 00:00:00 2001
From: Son NK <nguyenkims@hotmail.com>
Date: Fri, 3 Jan 2020 23:42:35 +0100
Subject: [PATCH] Fix user could go to MFA page directly

---
 app/auth/views/mfa.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/app/auth/views/mfa.py b/app/auth/views/mfa.py
index cc21727d..6565664c 100644
--- a/app/auth/views/mfa.py
+++ b/app/auth/views/mfa.py
@@ -17,11 +17,18 @@ class OtpTokenForm(FlaskForm):
 @auth_bp.route("/mfa", methods=["GET", "POST"])
 def mfa():
     # passed from login page
-    user_id = session[MFA_USER_ID]
+    user_id = session.get(MFA_USER_ID)
+
+    # user access this page directly without passing by login page
+    if not user_id:
+        flash("Unknown error, redirect back to main page", "warning")
+        return redirect(url_for("dashboard.index"))
+
     user = User.get(user_id)
 
-    if not user.enable_otp:
-        raise Exception("Only user with MFA enabled should go to this page. %s", user)
+    if not (user and user.enable_otp):
+        flash("Only user with MFA enabled should go to this page", "warning")
+        return redirect(url_for("dashboard.index"))
 
     otp_token_form = OtpTokenForm()
     next_url = request.args.get("next")