Allow to login with proton to enter sudo mode (#1141)

* Allow to login with proton to enter sudo mode * Updated wording * lint * Only enabled if the user has the account linked * Add exit-sudo route for tests Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
2022-07-04 16:09:36 +02:00 · 2022-07-04 16:09:36 +02:00 · c2bb6488e4
parent 046748c443
commit c2bb6488e4
6 changed files with 41 additions and 1 deletions
--- a/app/auth/views/fido.py
+++ b/app/auth/views/fido.py
@ -1,5 +1,6 @@
 import json
 import secrets
+from time import time

 import webauthn
 from flask import (
@ -107,6 +108,7 @@ def fido():
            Session.commit()
            del session[MFA_USER_ID]

+            session["sudo_time"] = int(time())
            login_user(user)
            flash(f"Welcome back!", "success")

--- a/app/auth/views/login_utils.py
+++ b/app/auth/views/login_utils.py
@ -1,3 +1,4 @@
+from time import time
 from typing import Optional

 from flask import session, redirect, url_for, request
@ -31,6 +32,7 @@ def after_login(user, next_url):
    else:
        LOG.d("log user %s in", user)
        login_user(user)
+        session["sudo_time"] = int(time())

        # User comes to login page from another page
        if next_url:
--- a/app/dashboard/views/enter_sudo.py
+++ b/app/dashboard/views/enter_sudo.py
@ -8,6 +8,8 @@ from wtforms import PasswordField, validators

 from app.dashboard.base import dashboard_bp
 from app.log import LOG
+from app.models import PartnerUser
+from app.proton.utils import is_connect_with_proton_enabled, get_proton_partner
 from app.utils import sanitize_next_url

 _SUDO_GAP = 900
@ -39,8 +41,18 @@ def enter_sudo():
        else:
            flash("Incorrect password", "warning")

+    proton_enabled = is_connect_with_proton_enabled()
+    if proton_enabled:
+        # Only for users that have the account linked
+        partner_user = PartnerUser.get_by(user_id=current_user.id)
+        if not partner_user or partner_user.partner_id != get_proton_partner().id:
+            proton_enabled = False
+
    return render_template(
-        "dashboard/enter_sudo.html", password_check_form=password_check_form
+        "dashboard/enter_sudo.html",
+        password_check_form=password_check_form,
+        next=request.args.get("next"),
+        connect_with_proton=proton_enabled,
    )


--- a/app/internal/init.py
+++ b/app/internal/init.py
@ -1 +1,2 @@
 from .integrations import set_enable_proton_cookie
+from .exit_sudo import exit_sudo_mode
--- a/app/internal/exit_sudo.py
+++ b/app/internal/exit_sudo.py
@ -0,0 +1,10 @@
+from flask import session, redirect, url_for, flash
+
+from app.internal.base import internal_bp
+
+
+@internal_bp.route("/exit-sudo-mode")
+def exit_sudo_mode():
+    session["sudo_time"] = 0
+    flash("Exited sudo mode", "info")
+    return redirect(url_for("dashboard.index"))
--- a/templates/dashboard/enter_sudo.html
+++ b/templates/dashboard/enter_sudo.html
@ -16,6 +16,19 @@
        {{ render_field_errors(password_check_form.password) }}
        <button class="btn btn-lg btn-danger mt-2">Submit</button>
      </form>
+      {% if connect_with_proton %}
+
+        <div class="my-3">
+          <p>
+            Alternatively you can use your Proton credentials to ensure it's you.
+          </p>
+        </div>
+        <a class="btn btn-primary btn-block mt-2 proton-button w-25"
+           href="{{ url_for("auth.proton_login", next=next) }}">
+          <img class="mr-2" src="/static/images/proton.svg" />
+          Authenticate with Proton
+        </a>
+      {% endif %}
    </div>
  </div>
 {% endblock %}