def verify_token(user, device_id, token):
"""
Attempts to verify a :term:`token` against a specific device, identified by
:attr:`~django_otp.models.Device.persistent_id`.
This wraps the verification process in a transaction to ensure that things
like throttling polices are properly enforced.
:param user: The user supplying the token.
:type user: :class:`~django.contrib.auth.models.User`
:param str device_id: A device's persistent_id value.
:param str token: An OTP token to verify.
:returns: The device that accepted ``token``, if any.
:rtype: :class:`~django_otp.models.Device` or ``None``
"""
from django_otp.models import Device
verified = None
with transaction.atomic():
device = Device.from_persistent_id(device_id, for_verify=True)
if (device
is not None) and (device.user_id
== user.pk) and device.verify_token(token):
verified = device
return verified
def clean(self):
self.cleaned_data = super(CustomOTPAdminAuthenticationForm,
self).clean()
user = self.get_user()
token = self.cleaned_data.get('otp_token', None)
if token is None or token == '':
# added otp_device field (for this project, only with Email device)
self._update_form(user)
try:
# get EmailDevice object related with current user by device ID
device = Device.from_persistent_id(
# device_choices return[('otp_email.emaildevice/1','mail')]
self.device_choices(user)[0][0])
except Exception as e:
print(e)
raise ValidationError(
message="Вашему аккаунту не подлючено 2FA")
# generate Token and send user's email
self._handle_challenge(device)
# clean and verify Token
self.clean_otp(self.get_user())
return self.cleaned_data
def _device_from_persistent_id(self, persistent_id):
# Convert legacy persistent_id values (these used to be full import
# paths). This won't work for apps with models in sub-modules, but that
# should be pretty rare. And the worst that happens is the user has to
# log in again.
if persistent_id.count('.') > 1:
parts = persistent_id.split('.')
persistent_id = '.'.join((parts[-3], parts[-1]))
device = Device.from_persistent_id(persistent_id)
return device
def verify_user(self, request, user):
header = self.get_header(request)
raw_token = self.get_raw_token(header)
validated_token = self.get_validated_token(raw_token)
url_exceptions = (reverse("v2:account-tfa-verify-code"), )
if request.path in url_exceptions:
return
if constants.TFA_DEVICE_TOKEN_KEY in validated_token:
device_id = validated_token[constants.TFA_DEVICE_TOKEN_KEY]
device = Device.from_persistent_id(device_id)
if device is not None and device.user_id == user.pk:
return
raise NotVerified
def otp_is_verified(request):
"""
Helper to determine if user has verified OTP.
"""
auth = JSONWebTokenAuthentication()
jwt_value = auth.get_jwt_value(request)
if jwt_value is None:
return False
payload = jwt_decode_handler(jwt_value)
persistent_id = payload.get('otp_device_id')
if persistent_id:
device = Device.from_persistent_id(persistent_id)
if device is not None and device.user_id != request.user.id:
return False
# Valid device in JWT
return True
return False
def _verify_user(self, request, user):
"""
Sets OTP-related fields on an authenticated user.
"""
device = None
if user.is_single_factor_authenticated:
persistent_id = request.session.get(DEVICE_ID_SESSION_KEY)
if persistent_id:
device = Device.from_persistent_id(persistent_id)
# Ensure the device belongs to the user.
if device is not None and device.user_id != user.pk:
device = None
if device is None and DEVICE_ID_SESSION_KEY in request.session:
del request.session[DEVICE_ID_SESSION_KEY]
user.otp_device = device
return user
def _verify_user(self, request, user):
"""
Sets OTP-related fields on an authenticated user.
"""
user.otp_device = None
user.is_verified = functools.partial(is_verified, user)
if _user_is_authenticated(user):
device_id = request.session.get(DEVICE_ID_SESSION_KEY)
device = Device.from_persistent_id(
device_id) if device_id else None
if (device is not None) and (device.user_id != user.id):
device = None
if (device is None) and (DEVICE_ID_SESSION_KEY in request.session):
del request.session[DEVICE_ID_SESSION_KEY]
user.otp_device = device
return user
def otp_is_verified(self, request):
"""
Helper to determine if user has verified OTP.
:param self:
:param request:
:return: TRUE or FALSE
"""
auth = JSONWebTokenAuthentication()
jwt_value = auth.get_jwt_value(request)
if jwt_value is None:
return False
payload = jwt_decode_handler(jwt_value)
persistent_id = payload.get('otp_device_id')
if persistent_id:
device = Device.from_persistent_id(persistent_id)
if (device is not None) and (device.user_id != request.user.id):
return False
else:
# Valid device in JWT
return True
else:
return False