def is_correct_two_factor_code(self, code: str) -> bool: """Verify that a TOTP/backup code is correct.""" if not self.two_factor_secret: raise ValueError("User does not have 2FA enabled") totp = TOTP(self.two_factor_secret) code = code.strip().replace(" ", "").lower() # some possible user input (such as unicode) can cause an error in the totp # library, catch that and treat it the same as an invalid code try: is_valid_code = totp.verify(code) except TypeError: is_valid_code = False if is_valid_code: return True elif self.two_factor_backup_codes and code in self.two_factor_backup_codes: # Need to set the attribute so SQLAlchemy knows it changed self.two_factor_backup_codes = [ backup_code for backup_code in self.two_factor_backup_codes if backup_code != code ] return True return False
def auth(): if not current_user.can_admin: abort(404) form = TOTPForm() try: user_secret = UserMetadata.get((UserMetadata.uid == current_user.uid) & (UserMetadata.key == 'totp_secret')) except UserMetadata.DoesNotExist: return engine.get_template('admin/totp.html').render({ 'authform': form, 'error': _('No TOTP secret found.') }) if form.validate_on_submit(): totp = TOTP(user_secret.value) if totp.verify(form.totp.data): session['apriv'] = time.time() return redirect(url_for('admin.index')) else: return engine.get_template('admin/totp.html').render({ 'authform': form, 'error': _('Invalid or expired token.') }) return engine.get_template('admin/totp.html').render({ 'authform': form, 'error': None })
def index(): if request.method == "POST": totp = TOTP(app.config["TOTP_SECRET"]) if "authcode" not in request.form: flash("Missing OTP", 'error') return redirect(request.url) if not totp.verify(request.form["authcode"]): flash("Incorrect OTP", "error") return redirect(request.url) if not request.files: flash("No files field", "error") return redirect(request.url) files = (f for f in request.files.getlist("files") if f.filename != "") if not files: flash("No files specified", "error") return redirect(request.url) for file in files: file.save(os.path.join(app.config["UPLOAD_DIR"], file.filename)) flash("Files uploaded correctly!", "success") return redirect("/drop") return render_template("drop.html")
def verify(self, user_name, object_dn, key): # Do we have read permissions for the requested attribute self.__check_acl(user_name, object_dn, "r") # Get the object for the given dn uuid = self.__dn_to_uuid(object_dn) factor_method = self.get_method_from_user(uuid) user_settings = self.__settings[uuid] if uuid in self.__settings else {} if factor_method == "otp": totp = TOTP(user_settings.get('otp_secret')) return totp.verify(key) elif factor_method == "u2f": challenge = user_settings.pop('_u2f_challenge_') data = loads(key) device, c, t = complete_authentication(challenge, data, [self.facet]) return { 'keyHandle': device['keyHandle'], 'touch': t, 'counter': c } elif factor_method is None: return True return False
def verify(self, user_name, object_dn, key): # Do we have read permissions for the requested attribute self.__check_acl(user_name, object_dn, "r") # Get the object for the given dn uuid = self.__dn_to_uuid(object_dn) factor_method = self.get_method_from_user(uuid) user_settings = self.__settings[ uuid] if uuid in self.__settings else {} if factor_method == "otp": totp = TOTP(user_settings.get('otp_secret')) return totp.verify(key) elif factor_method == "u2f": challenge = user_settings.pop('_u2f_challenge_') data = loads(key) device, c, t = complete_authentication(challenge, data, [self.facet]) return {'keyHandle': device['keyHandle'], 'touch': t, 'counter': c} elif factor_method is None: return True return False
def verify(self, user_name, object_dn, key): # Do we have read permissions for the requested attribute self.__check_acl(user_name, object_dn, "r") # Get the object for the given dn user = ObjectProxy(object_dn) factor_method = self.get_method_from_user(user) user_settings = self.__settings[ user.uuid] if user.uuid in self.__settings else {} if factor_method == "otp": totp = TOTP(user_settings.get('otp_secret')) return totp.verify(key) elif factor_method == "u2f": devices = [ DeviceRegistration.wrap(device) for device in user_settings.get('_u2f_devices_', []) ] challenge = user_settings.pop('_u2f_challenge_') data = loads(key) c, t = verify_authenticate(devices, challenge, data, [self.facet]) return {'touch': t, 'counter': c} elif factor_method is None: return True return False
def verify(self, user_name, object_dn, key): # Do we have read permissions for the requested attribute self.__check_acl(user_name, object_dn, "r") # Get the object for the given dn user = ObjectProxy(object_dn) factor_method = self.get_method_from_user(user) user_settings = self.__settings[user.uuid] if user.uuid in self.__settings else {} if factor_method == "otp": totp = TOTP(user_settings.get('otp_secret')) return totp.verify(key) elif factor_method == "u2f": devices = [DeviceRegistration.wrap(device) for device in user_settings.get('_u2f_devices_', [])] challenge = user_settings.pop('_u2f_challenge_') data = loads(key) c, t = verify_authenticate(devices, challenge, data, [self.facet]) return { 'touch': t, 'counter': c } elif factor_method is None: return True return False
def OTP(request): getd = unquote(request.GET.get('key')) signerverify = signer.unsign(getd, max_age=int(settings.PYADSELFSERVICE_STOUT)) if request.method == 'POST': form = renderotp(request.POST) if form.is_valid(): base32 = calc_base32(signerverify) totp = TOTP(base32) otp = totp.verify(form.cleaned_data['otp'], valid_window=5) data = signer.sign(signerverify) if otp == True: return HttpResponseRedirect('/resetpass?key=' + quote(data)) return render(request, 'index.html', {'form': renderotp()})
def validate_code(self, code): from pyotp import TOTP if not self.request.session.get('secret_key_activated', False): raise serializers.ValidationError( 'You did not activated google authenticator', code=constants.GOOGLE_OTP_NOT_ACTIVATED_CODE) totp = TOTP(self.request.session['temp_otp_secret_key']) if not totp.verify(code, valid_window=1): raise serializers.ValidationError( 'Code is incorrect', code=constants.GOOGLE_OTP_INVALID_CODE) return code
def verifyOTP(self, otp, transaction_key): # emsg=pbkdf2_sha256.encrypt(self.publicKey, rounds=12000, salt_size=32) baseForOtp = self.baseForOtp print(baseForOtp) print("base", type(baseForOtp)) print(self.otp_value) print(otp) pot = TOTP(baseForOtp, interval=120) value = pot.verify(otp) print('value', value) if not value: return value try: key = self.user.keylist_set.all().filter(key=transaction_key) except Exception as e: print(e) return False if len(key) != 0: return False key = keyList(key=transaction_key, user=self.user) print(key) key.save() print(self.publicKey) try: flag = pbkdf2_sha256.verify(self.publicKey, transaction_key) print(flag) print(self.publicKey) except: print("Exception in key") return False return pot.verify(otp) and flag
def get(self, request, totp): chatrooms = Chatroom.objects.all() for chatroom in chatrooms: salt = chatroom.salt validator = TOTP(salt) if validator.verify(totp): data = ChatroomSerializer(chatroom).data token = jwt.encode(data, SECRET_KEY) body = {"token": token} body.update( serializer_to_body(ChatroomSerializer, chatroom, "chatroom")) return Response(body, status=status.HTTP_200_OK) return Response(status=status.HTTP_403_FORBIDDEN)
def authenticate(self, request=None, **kwargs): """Check form validity.""" django_version = tuple( [int(s) for s in django.get_version().split(".")]) otp_auth = kwargs.pop("otp_auth", None) auth_user = partial( super(OTPAuthenticationBackend, self).authenticate, **kwargs) user = auth_user() if django_version < (1, 11) else auth_user(request) if hasattr(user, "otp_secret"): auth_provider = TOTP(user.otp_secret.secret) if not auth_provider.verify(otp_auth): user = None return user
def clean(self): super().clean() if self.errors: return if self.user.has_mfa_enabled(): raise self.get_mfa_set_up_error() totp = TOTP(self.cleaned_data.get('secret', '')) if totp.verify(self.cleaned_data.get('code')): return raise self.get_invalid_mfa_error()
def verify_otp(shared_key, code): try: app.logger.info(f'Shared key: {shared_key}, Code: {code}') totp = TOTP(shared_key, interval=interval) result = totp.verify(code) app.logger.info(f'Is otp code {code} valid? {result}') if (result): return ('Valid', 200) return ('Code not valid', 400) except Exception as error: app.logger.error(f'Exception {error}') return ('Error', 500)
def auth(userID,OTP,path = 'Unknow'): from pyotp import TOTP from setting import OTPAdminLOG, Log_t_format from time import strftime, localtime as now User = OTPKeys[int(userID)] OTPi = TOTP(User[1]) f = open(OTPAdminLOG,'a') if (OTPi.verify(OTP)): f.writelines( strftime(Log_t_format,now())+"\t"+path+"\tAuthencate Successful\n" ) f.close() return True else: f.writelines( strftime(Log_t_format,now())+"\t"+path+"\tAuthencate Failed!!!!\n" ) f.close() return False
def authenticate(self, user_id, key, **kwargs): totp = TOTP(user_id) if not totp.verify(key): raise AuthenticationError("TOTP taped token is not valid.") logger.info( "TOTP Token for user {} successfully verified.".format(user_id)) # If the SSOProfile is not yet in MongoDB, set-it app_id = kwargs['app'] app_name = kwargs['app_name'] backend_id = kwargs['backend'] login = kwargs['login'] try: aes = AESCipher("{}{}{}{}{}".format(SECRET_KEY, app_id, backend_id, login, "totp")) encrypted_field = aes.key.hex() sso_profile = SSOProfile.objects.filter( encrypted_name=encrypted_field, login=login).first() if sso_profile: decrypted_value = sso_profile.get_data( sso_profile.encrypted_value, app_id, backend_id, login, "totp") if decrypted_value: logger.debug( "TOTP token for user '{}' retrieven from database.". format(login)) return True # SSOProfile not found -> Create it sso_profile = SSOProfile() sso_profile.set_data( app_id, app_name, backend_id, BaseAbstractRepository.search_repository( ObjectId(backend_id)).repo_name, login, "totp", user_id) logger.info( "TOTP token for user {} stored in database.".format(login)) # Save in Mongo sso_profile.store() except Exception as e: logger.exception(e) raise e return True
def token_valid(request, secret_key): totp = TOTP(secret_key) try: if (request.method == 'POST' and 'token' in request.POST): # Load the payload into a dictionary. raw_payload = request.read() payload = dict( item.split("=") for item in raw_payload.decode('utf8').split("&")) if (totp.verify(payload['token'])): return True except Exception as e: print(e) else: return False
def verify_credentials(self, principal, credentials): code = credentials['code'] from ..models import _tznow from ..models import OneTimePasswordCredential from pyotp import TOTP try: otp_credential = self._credential_directory.credentials.get( principal=principal, valid_from__lte=_tznow(), valid_till__gte=_tznow()) secret_key = otp_credential.salt.decode() totp = TOTP(secret_key, interval=200) if totp.verify(code, valid_window=1): return True except OneTimePasswordCredential.DoesNotExist: pass return False
def check_totp(totp, key): """Retruns true if totp is a valid TOTP Key word arguments: totp - The six digits provided by a TOTP app or function. key - API key. Output: Bool value based on whether or not the six_digits are the valid TOTP for the 30 second window.""" pwd_file = open(u_file, 'r', encoding='ascii') reader = DictReader(pwd_file) # Performing input validation. if validate_totp(totp) and validate_api_key(key): for row in reader: # Checking the TOTP value if key == row['apikey'] and int(row['fl_count']) <= 9: MFA = TOTP(row['totp']) if MFA.verify(totp): return True else: return False else: return False
def is_valid_otp(otp, instance, interval=OTP_INTERVAL.OTP_LIVE_TIME, for_time=None): """ :param otp: :param otp_instance: :param interval: :param for_time: :return: boolean """ if not instance.can_check_otp(): raise LimitedException if not instance or not instance.signature: return False signature = instance.signature key = generate_secret_key(signature) totp = TOTP(key, interval=interval) if for_time is None: for_time = datetime.datetime.now().replace(microsecond=0) # TODO: Logger for generated OTP code return totp.verify(otp, for_time, valid_window=1)
def validate_code(form, field): totp = TOTP(form.secret.data) if not totp.verify(field.data, valid_window=1): raise ValidationError(_('The code is wrong, please try again.'))
def authenticate(self, user_id, key): logger.debug("") totp = TOTP(user_id) if not totp.verify(key): raise AuthenticationError("TOTP taped token is not valid.") return True
class Safe(): """Stores the encrypted password for a determined period. This class stores the enctypted password, provides a passphrase and token and returns the encrypted password when provided the valid token""" def __init__(self): pass def encrypt(self, password, minutes): """Encrypts the user password. Parameters ---------- password : str The password to encrypt minutes : int The validity period, in minutes, of the TOTP token used to retreive the encrypted password. Returns ------- passphrase : str The passhprase used to derive the encryption key. token : str The TOTP token required to retreive the encrypted password. """ self._window = 60 * int(minutes) # Generate TOTP source self._totp = TOTP(random_base32(), interval=1) # Generate TOTP token token = self._totp.now() # Generate passphrase and derive key from passphrase passphrase = Passphrase().generate(PASSPHRASE_N_WORDS) key = _generate_key(passphrase) # Encrypt password using key f = Fernet(key) self._password = f.encrypt(password.encode('utf-8')) return passphrase, token def get_password(self, token): """Returns the encrypted password, provided a valid TOTP token. Parameters ---------- token : str The TOTP token required to retreive the encrypted password. Returns ------- password : str The encrypted password. Raises ------ InvalidToken If the provided TOTP token is invalid or expired. """ token = token.replace(' ', '') if self._totp.verify(token, valid_window=self._window): return self._password else: raise InvalidToken('Invalid TOTP token.')