def tfa_generate_recovery_codes_post_(request):
# Extract parameters from the form
verify_checkbox = 'verify' in request.params
tfaresponse = request.params['tfaresponse']
tfarecoverycodes = _get_recovery_codes_from_session()
# Does the user want to save the new recovery codes?
if verify_checkbox:
if tfa.verify(request.userid, tfaresponse,
consume_recovery_code=False):
if tfa.store_recovery_codes(request.userid, tfarecoverycodes):
# Clean up the stored session variables
_cleanup_session()
# Successfuly stored new recovery codes.
raise HTTPSeeOther(location="/control/2fa/status")
else:
# Recovery code string was corrupted or otherwise altered.
raise WeasylError("Unexpected")
else:
return Response(
define.webpage(
request.userid,
"control/2fa/generate_recovery_codes.html",
[tfarecoverycodes.split(','), "2fa"],
title="Generate Recovery Codes: Save New Recovery Codes"))
elif not verify_checkbox:
return Response(
define.webpage(
request.userid,
"control/2fa/generate_recovery_codes.html",
[tfarecoverycodes.split(','), "verify"],
title="Generate Recovery Codes: Save New Recovery Codes"))
def tfa_generate_recovery_codes_post_(request):
# Extract parameters from the form
verify_checkbox = 'verify' in request.params
tfaresponse = request.params['tfaresponse']
tfarecoverycodes = _get_recovery_codes_from_session()
# Does the user want to save the new recovery codes?
if verify_checkbox:
if tfa.verify(request.userid, tfaresponse, consume_recovery_code=False):
if tfa.store_recovery_codes(request.userid, tfarecoverycodes):
# Clean up the stored session variables
_cleanup_session()
# Successfuly stored new recovery codes.
raise HTTPSeeOther(location="/control/2fa/status")
else:
# Recovery code string was corrupted or otherwise altered.
raise WeasylError("Unexpected")
else:
return Response(define.webpage(request.userid, "control/2fa/generate_recovery_codes.html", [
tfarecoverycodes.split(','),
"2fa"
], title="Generate Recovery Codes: Save New Recovery Codes"))
elif not verify_checkbox:
return Response(define.webpage(request.userid, "control/2fa/generate_recovery_codes.html", [
tfarecoverycodes.split(','),
"verify"
], title="Generate Recovery Codes: Save New Recovery Codes"))
def test_verify():
user_id = db_utils.create_user()
tfa_secret = pyotp.random_base32()
tfa_secret_encrypted = tfa._encrypt_totp_secret(tfa_secret)
totp = pyotp.TOTP(tfa_secret)
_insert_2fa_secret(user_id, tfa_secret_encrypted)
_insert_recovery_code(user_id)
# Codes of any other length than tfa.LENGTH_TOTP_CODE or tfa.LENGTH_RECOVERY_CODE returns False
assert not tfa.verify(user_id, "a" * 5)
assert not tfa.verify(user_id, "a" * 21)
# TOTP token matches current expected value (Successful Verification)
tfa_response = totp.now()
assert tfa.verify(user_id, tfa_response)
# TOTP token with space successfully verifies, as some authenticators show codes like
# "123 456"; verify strips all spaces. (Successful Verification)
tfa_response = totp.now()
# Now split the code into a space separated string (e.g., u"123 456")
tfa_response = tfa_response[:3] + ' ' + tfa_response[3:]
assert tfa.verify(user_id, tfa_response)
# TOTP token does not match current expected value (Unsuccessful Verification)
assert not tfa.verify(user_id, "000000")
# Recovery code does not match stored value (Unsuccessful Verification)
assert not tfa.verify(user_id, "z" * tfa.LENGTH_RECOVERY_CODE)
# Recovery code matches a stored recovery code (Successful Verification)
assert tfa.verify(user_id, recovery_code)
# Recovery codes are case-insensitive (Successful Verification)
_insert_recovery_code(user_id)
assert tfa.verify(user_id, recovery_code.lower())
# Recovery codes are consumed upon use (consumed previously) (Unsuccessful Verification)
assert not tfa.verify(user_id, recovery_code)
# When parameter `consume_recovery_code` is set to False, a recovery code is not consumed.
_insert_recovery_code(user_id)
assert tfa.get_number_of_recovery_codes(user_id) == 1
assert tfa.verify(user_id,
'a' * tfa.LENGTH_RECOVERY_CODE,
consume_recovery_code=False)
assert tfa.get_number_of_recovery_codes(user_id) == 1
def test_verify():
user_id = db_utils.create_user()
tfa_secret = pyotp.random_base32()
tfa_secret_encrypted = tfa._encrypt_totp_secret(tfa_secret)
totp = pyotp.TOTP(tfa_secret)
_insert_2fa_secret(user_id, tfa_secret_encrypted)
_insert_recovery_code(user_id)
# Codes of any other length than tfa.LENGTH_TOTP_CODE or tfa.LENGTH_RECOVERY_CODE returns False
assert not tfa.verify(user_id, "a" * 5)
assert not tfa.verify(user_id, "a" * 21)
# TOTP token matches current expected value (Successful Verification)
tfa_response = totp.now()
assert tfa.verify(user_id, tfa_response)
# TOTP token with space successfully verifies, as some authenticators show codes like
# "123 456"; verify strips all spaces. (Successful Verification)
tfa_response = totp.now()
# Now split the code into a space separated string (e.g., u"123 456")
tfa_response = tfa_response[:3] + ' ' + tfa_response[3:]
assert tfa.verify(user_id, tfa_response)
# TOTP token does not match current expected value (Unsuccessful Verification)
assert not tfa.verify(user_id, "000000")
# Recovery code does not match stored value (Unsuccessful Verification)
assert not tfa.verify(user_id, "z" * tfa.LENGTH_RECOVERY_CODE)
# Recovery code matches a stored recovery code (Successful Verification)
assert tfa.verify(user_id, recovery_code)
# Recovery codes are case-insensitive (Successful Verification)
_insert_recovery_code(user_id)
assert tfa.verify(user_id, recovery_code.lower())
# Recovery codes are consumed upon use (consumed previously) (Unsuccessful Verification)
assert not tfa.verify(user_id, recovery_code)
# When parameter `consume_recovery_code` is set to False, a recovery code is not consumed.
_insert_recovery_code(user_id)
assert tfa.get_number_of_recovery_codes(user_id) == 1
assert tfa.verify(user_id, 'a' * tfa.LENGTH_RECOVERY_CODE, consume_recovery_code=False)
assert tfa.get_number_of_recovery_codes(user_id) == 1
def signin_2fa_auth_post_(request):
sess = define.get_weasyl_session()
# Only render page if the password has been authenticated (we have a UserID stored in the session)
if '2fa_pwd_auth_userid' not in sess.additional_data:
return Response(define.errorpage(request.userid, errorcode.permission))
tfa_userid = sess.additional_data['2fa_pwd_auth_userid']
session_life = arrow.now(
).timestamp - sess.additional_data['2fa_pwd_auth_timestamp']
if session_life > 300:
# Maximum secondary authentication time: 5 minutes
_cleanup_2fa_session()
return Response(
define.errorpage(
request.userid, errorcode.
error_messages['TwoFactorAuthenticationAuthenticationTimeout'],
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
elif two_factor_auth.verify(tfa_userid, request.params["tfaresponse"]):
# 2FA passed, so login and cleanup.
_cleanup_2fa_session()
login.signin(tfa_userid)
ref = request.params["referer"] or "/"
# User is out of recovery codes, so force-deactivate 2FA
if two_factor_auth.get_number_of_recovery_codes(tfa_userid) == 0:
two_factor_auth.force_deactivate(tfa_userid)
return Response(
define.errorpage(
tfa_userid, errorcode.error_messages[
'TwoFactorAuthenticationZeroRecoveryCodesRemaining'],
[["2FA Dashboard", "/control/2fa/status"],
["Return to the Home Page", "/"]]))
# Return to the target page, restricting to the path portion of 'ref' per urlparse.
raise HTTPSeeOther(location=urlparse.urlparse(ref).path)
elif sess.additional_data['2fa_pwd_auth_attempts'] >= 5:
# Hinder brute-forcing the 2FA token or recovery code by enforcing an upper-bound on 2FA auth attempts.
_cleanup_2fa_session()
return Response(
define.errorpage(
request.userid, errorcode.error_messages[
'TwoFactorAuthenticationAuthenticationAttemptsExceeded'],
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
else:
# Log the failed authentication attempt to the session and save
sess.additional_data['2fa_pwd_auth_attempts'] += 1
sess.save = True
# 2FA failed; redirect to 2FA input page & inform user that authentication failed.
return Response(
define.webpage(
request.userid,
"etc/signin_2fa_auth.html", [
define.get_display_name(tfa_userid),
request.params["referer"],
two_factor_auth.get_number_of_recovery_codes(tfa_userid),
"2fa"
],
title="Sign In - 2FA"))
def signin_2fa_auth_post_(request):
sess = define.get_weasyl_session()
# Only render page if the session exists //and// the password has
# been authenticated (we have a UserID stored in the session)
if not sess.additional_data or '2fa_pwd_auth_userid' not in sess.additional_data:
return Response(define.errorpage(request.userid, errorcode.permission))
tfa_userid = sess.additional_data['2fa_pwd_auth_userid']
session_life = arrow.now().timestamp - sess.additional_data['2fa_pwd_auth_timestamp']
if session_life > 300:
# Maximum secondary authentication time: 5 minutes
_cleanup_2fa_session()
return Response(define.errorpage(
request.userid,
errorcode.error_messages['TwoFactorAuthenticationAuthenticationTimeout'],
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]
))
elif two_factor_auth.verify(tfa_userid, request.params["tfaresponse"]):
# 2FA passed, so login and cleanup.
_cleanup_2fa_session()
login.signin(request, tfa_userid, ip_address=request.client_addr, user_agent=request.user_agent)
ref = request.params["referer"] or "/"
# User is out of recovery codes, so force-deactivate 2FA
if two_factor_auth.get_number_of_recovery_codes(tfa_userid) == 0:
two_factor_auth.force_deactivate(tfa_userid)
return Response(define.errorpage(
tfa_userid,
errorcode.error_messages['TwoFactorAuthenticationZeroRecoveryCodesRemaining'],
[["2FA Dashboard", "/control/2fa/status"], ["Return to the Home Page", "/"]]
))
# Return to the target page, restricting to the path portion of 'ref' per urlparse.
raise HTTPSeeOther(location=urlparse.urlparse(ref).path)
elif sess.additional_data['2fa_pwd_auth_attempts'] >= 5:
# Hinder brute-forcing the 2FA token or recovery code by enforcing an upper-bound on 2FA auth attempts.
_cleanup_2fa_session()
return Response(define.errorpage(
request.userid,
errorcode.error_messages['TwoFactorAuthenticationAuthenticationAttemptsExceeded'],
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]
))
else:
# Log the failed authentication attempt to the session and save
sess.additional_data['2fa_pwd_auth_attempts'] += 1
sess.save = True
# 2FA failed; redirect to 2FA input page & inform user that authentication failed.
return Response(define.webpage(
request.userid,
"etc/signin_2fa_auth.html",
[define.get_display_name(tfa_userid), request.params["referer"], two_factor_auth.get_number_of_recovery_codes(tfa_userid),
"2fa"], title="Sign In - 2FA"))