def setmfa(): user = User.query.filter_by(username=session.get("username")).first() if request.method == "GET": if not user.mfa_status: user.secret = get_secret() db.session.add(user) db.session.commit() return render_template("mfa.html", secret=user.secret, nickname=user.nickname) else: return render_template("closemfa.html") if request.method == "POST": onecode = request.form.get("onecode") twocode = request.form.get("twocode") # 判断身份宝验证码是否正确 if totp.valid_totp(token=twocode, secret=user.secret) and totp.valid_totp( token=onecode, secret=user.secret, clock=int(time.time()) - 30): if user.mfa_status == False: user.mfa_status = True else: user.mfa_status = False db.session.add(user) db.session.commit() return redirect(request.referrer) else: print(onecode, twocode) return redirect(request.referrer)
def post(self, request, format=None): valid = False user_id = request.data['userId'] verification_code = request.data['verificationCode'] user = BoxUsers.objects.annotate( bu_roleid=F('boxuserrole__boxRoles__br_id'), bu_fullname=Case(When(Q(bu_lastname=None) | Q(bu_lastname=''), then='bu_firstname'), default=Concat('bu_firstname', Value(' '), 'bu_lastname')), ).get(pk=user_id) box_user_info = BoxUserinfo.objects.filter(boxUsers__bu_id=user_id) if len(box_user_info) > 0: certify = box_user_info[0].ui_certify valid = otp.valid_totp(verification_code, certify) if valid is False: return Response({ 'code': Code.IMPROPER_CODE.value, 'message': Code.IMPROPER_CODE.name }) return login_success(request, user)
def test_validating_invalid_totp_for_same_secret(self): """ Test case when the same secret is used, but the token differs """ secret = b'MFRGGZDFMZTWQ2LK' with timecop.freeze(time.time()): self.assertFalse(valid_totp(get_totp(secret)+1, secret))
def test_validating_totp_for_same_secret(self): """ Check if validating TOTP generated for the same secret works """ secret = b'MFRGGZDFMZTWQ2LK' with timecop.freeze(time.time()): self.assertTrue(valid_totp(get_totp(secret), secret))
def login_totp(): nickname = request.forms.get('nickname') password = request.forms.get('password') totp = request.forms.get('totp') usuarios = db.users.find({'_id': nickname}) if usuarios.count() != 1: return template("errorUsuarioContrasenia.tpl") #Obtenermos al usuario: for i in usuarios: name = i['name'] saltNick = str(i['salt']) passwordNick = i['password'] seed = i['seed'] password = password + PEPPER #Hacemos la funcion hash dk = hashlib.pbkdf2_hmac('sha256', str.encode(password), str.encode(saltNick), 100000) password = binascii.hexlify(dk) #Una vez conseguida la contraseña la comparamos con la que haya metido el usuario. if password != passwordNick: return template("errorUsuarioContrasenia.tpl") #Validamos el TOTP valid_totp = onetimepass.valid_totp(token=totp, secret=seed) if valid_totp: return template("errorUsuarioContrasenia.tpl") else: return template('logeado.tpl', name=name)
def login_(totp=False): req_fields = ['nickname', 'password'] if totp: req_fields.append('totp') valid, data, msg = form_data(req_fields) if valid: # busca un usuario con ese id (nickname) r = c.find_one({'_id': data['nickname']}) # Si lo encuentra continua con las comprobaciones valid = False if r: # Verifica la contraseña pasada if argon2.verify(data['password'], r['password']): # Si ha entrado por /login y en la BD no tiene el campo totp (login normal) try: if not totp and not ('totp' in r.keys()): valid = True # Si ha entrado por /login_totp y en la BD existe el campo totp y este es válido (login con totp) elif totp and ('totp' in r.keys()) and otp.valid_totp(token=data['totp'], secret=r['totp']): valid = True except KeyError: pass if valid: msg = "Bienvenido " + r['name'] print(msg) return msg else: msg = "Usuario o contraseña incorrectos" print(msg) return msg else: msg = "Datos inválidos: " + msg print(msg) return msg
def totp_verify_token(userid, token): otp_secret = totp_get_secret_key(userid) if otp_secret == None: return False else: return onetimepass.valid_totp(token, otp_secret)
def login_totp(): username = str(request.forms.get('username')).lower() password = str(request.forms.get('password')).lower() totpCode = str(request.forms.get('totpCode')).lower() User = db.users.find_one({ "_id" : username }); if not User: # Username doesn't exists return template('result', message='Usuario o contraseña incorrectos'); if not validPassword(password, User['password']): # Old password doesnt match return template('result', message='Usuario o contraseña incorrectos'); token = totpCode secret = User['secretKey'] valid = otp.valid_totp(token, secret) if not valid: return template('result', message='Usuario o contraseña incorrectos') # For security reasons, remove secret Key and password # from the User Dictionary before return them to the view. del User['secretKey'] del User['password'] return template('welcome', user=User);
def test_validating_correct_hotp_as_totp(self): """ Check if valid TOTP will work as HOTP - should not work, unless for very big interval number (matching Unix epoch timestamp) """ secret = b'MFRGGZDFMZTWQ2LK' self.assertFalse(valid_totp(get_hotp(secret, 1), secret))
def dispatch_request(self, id): super(WalletUnlockView, self).dispatch_request(id) otpsetting = session.query(Setting).get('otpsecret') if otpsetting: form = OTPUnlockForm(request.form) secret = otpsetting.value otp_valid = otp.valid_totp(token=form.otp.data, secret=secret) else: form = UnlockForm(request.form) otp_valid = True if request.method == 'POST' and form.validate() and otp_valid: flash("OTP valid", "success") try: ret = self.conn.walletpassphrase(form.passphrase.data, form.timeout.data) flash('Wallet unlocked', 'success') return redirect( url_for('wallet.wallet_detail', id=self.wallet.id)) except WalletPassphraseIncorrect: flash('Passphrase incorrect', 'error') except WalletAlreadyUnlocked: flash('Wallet already unlocked', 'error') elif request.method == 'POST' and form.validate() and not otp_valid: flash("OTP invalid", "error") return render_template('wallet/wallet/unlock.html', wallet=self.wallet, form=form)
def verify_token(userid, token): otp_secret = get_secret_key(userid) if otp_secret == None: return False else: return onetimepass.valid_totp(token, otp_secret)
def register(request): if request.method == 'POST': from app.forms import UserForm user_form = UserForm(data=request.POST) if user_form.is_valid(): secureKey = request.POST['secureKey'] my_secret = request.POST['key'] if (otp.valid_totp(token=secureKey, secret=my_secret) == False): request.session[ 'message'] = 'the secure key is not correct please try again' return redirect("/") user = user_form.save() user.set_password(user.password) user.save() request.session['message'] = 'registration done please login' return redirect("/") else: request.session['error'] = user_form.errors return redirect("/")
def test_validating_invalid_totp_for_same_secret(self): """ Test case when the same secret is used, but the token differs """ secret = b'MFRGGZDFMZTWQ2LK' with timecop.freeze(time.time()): self.assertFalse(valid_totp(get_totp(secret) + 1, secret))
def post(self, request): user_id = request.data['userId'] certify = request.data['certify'] verification_code = request.data['verificationCode'] box_user_info = BoxUserinfo.objects.filter(boxUsers__bu_id=user_id) if len(box_user_info) > 0: user_info = box_user_info[0] user_certify = user_info.ui_certify if user_certify is not None and user_certify != '': certify = user_certify else: user = BoxUsers.objects.get(pk=user_id) user_info = BoxUserinfo.objects.create(boxUsers=user) valid = otp.valid_totp(verification_code, certify) if valid: user_info.ui_certify = certify user_info.save() return Response({'valid': valid})
def verify_otp(self, token): """ verifing the otp entered by user :param token: :return: """ return onetimepass.valid_totp(token, self.second_factor_c)
def dispatch_request(self, id): super(WalletUnlockView, self).dispatch_request(id) otpsetting = session.query(Setting).get('otpsecret') if otpsetting: form = OTPUnlockForm(request.form) secret = otpsetting.value otp_valid = otp.valid_totp(token=form.otp.data, secret=secret) else: form = UnlockForm(request.form) otp_valid = True if request.method == 'POST' and form.validate() and otp_valid: flash("OTP valid", "success") try: ret = self.conn.walletpassphrase(form.passphrase.data, form.timeout.data) flash('Wallet unlocked', 'success') return redirect(url_for('wallet.wallet_detail', id=self.wallet.id)) except WalletPassphraseIncorrect: flash('Passphrase incorrect', 'error') except WalletAlreadyUnlocked: flash('Wallet already unlocked', 'error') elif request.method == 'POST' and form.validate() and not otp_valid: flash("OTP invalid", "error") return render_template('wallet/wallet/unlock.html', wallet=self.wallet, form=form)
def post(self): cfg = self.application.config.get('deposit_agent') operator_id = self.current_user['id'] args = self.json_args auth_num = args.get('auth_num') type = args.get('type') secret = None ttl = 0 interval = 30 if type == 'approve': secret = cfg['op_secret'].get(operator_id) ttl = 60 * 60 interval = 30 elif type == 'quota': secret = cfg['secret'] ttl = 60 * 10 else: self.send_error(500) flag = otp.valid_totp(auth_num, secret, interval_length=interval, window=1) request_log.info('AUTH %s %s', type, flag) if flag: self.master.setex('auth:%s:%s' % (operator_id, type), ttl, 'ok') else: self.finish(json.dumps({'status': 'fail', 'msg': '认证码错误,请重新操作'})) return self.finish(json.dumps({'status': 'success'}))
def is_valid_token(self, token): """ Validates a time-based one-time password (TOTP) as generated by a user's 2fa application against the TOTP generated locally by the onetimepass module. Assuming the user generated a TOTP with a common shared one-time password secret (otp_secret), these passwords should match. """ return onetimepass.valid_totp(token, self.otp_secret)
def valid_otp(passwd, chat_id): my_secret = base64.b32encode(str(chat_id)) #my_secret = 'MFRGGZDFxMZTWQ2LK' got_token = passwd # should be probably from some user's input is_valid = otp.valid_totp(token=got_token, secret=my_secret, interval_length=300) return is_valid
def test_validating_correct_hotp_as_totp(self): """ Check if valid TOTP will work as HOTP - should not work, unless for very big interval number (matching Unix epoch timestamp) """ secret = b'MFRGGZDFMZTWQ2LK' with timecop.freeze(time.time()): self.assertFalse(valid_totp(get_hotp(secret, 1), secret))
def verify_mfa_setup_complete(self, token): ''' Once the user submits a TOTP that is correct enable MFA''' if onetimepass.valid_totp(token, self.otp_secret): self.mfa_enabled = True self.save() return True return False
def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password') otp = self.cleaned_data.get('otp') region = self.cleaned_data.get('region') tenant = self.cleaned_data.get('tenant') if not tenant: tenant = None if not (username and password): # Don't authenticate, just let the other validators handle it. return self.cleaned_data #trunglq add parser = argparse.ArgumentParser() parser.add_argument('-c',default='/etc/keystone/keystone.conf') options = parser.parse_args() conf_file_options = PropertyCollecter.collect_properties(open(options.c)) cflag=0 for k, v in sorted(conf_file_options.items()): if k=='connection': cflag=1 break if cflag==0: print "No connection string" return self.cleaned_data engine = create_engine(v[0]) connstring="select extra from user where name= '%s'" %(username) connection = engine.connect() result = connection.execute(connstring) rflag=0 for row in result: sk = json.loads(row['extra']) rflag=1 connection.close() if rflag==0: return self.cleaned_data else: try: my_secret=sk['secretkey'] if my_secret=='': self.user_cache = authenticate(request=self.request, username=username, password=password, tenant=tenant, auth_url=region) else: if onetimepass.valid_totp(token=otp, secret=my_secret): try: self.user_cache = authenticate(request=self.request, username=username, password=password, tenant=tenant, auth_url=region) except KeystoneAuthException as exc: self.request.session.flush() raise forms.ValidationError(exc) except Exception as err: self.user_cache = authenticate(request=self.request, username=username, password=password, tenant=tenant, auth_url=region) self.check_for_test_cookie() return self.cleaned_data
def verify_totp(self, token: str) -> bool: """ This method will return true if the totp secret is none, maybe 2fa has been enabled in the database without providing a totp secret by an admin """ ret = True if self.totp_secret: ret = onetimepass.valid_totp(token, self.totp_secret) return ret
def check_time_based_token(self): my_token = self.token my_secret = self.organization.secretKey if my_secret is None: raise Exception("Error during checking time-based token. The secret key of the Apigee organization %s is empty" % (self.organization.organizationName)) print("Checking the time-based token") is_valid = otp.valid_totp(token=my_token, secret=my_secret) print(is_valid) return is_valid
def validate(username, token): session = Session() user = session.query(User).filter(User.name == username).one() secret = user.otp_secret response = 'invalid' if otp.valid_totp(token=token, secret=secret): user.missed_alerts = 0 response = 'valid' session.commit() session.close() return response
def verifyuser(userid,token): db = DB() cur, status = db.query("select email, secret from Users where Id=%s",(userid,)) row = cur.fetchone() if row == None: #should never happen print "Invalid user entered" return False, None else: #print otp.valid_totp(token, row['secret']) return otp.valid_totp(token, row['secret']), row['email']
def authenticate(self, username=None, password=None, token=None): user = super(TOTPBackend, self).authenticate(username, password) try: secret = TOTPAuth.objects.get(user=user) except TOTPAuth.DoesNotExist: if token == None: return user else: return None is_valid = otp.valid_totp(token=token, secret=secret) if is_valid: return user
def login_totp(): nickname = request.forms.get('nickname') password = request.forms.get('password') totp = request.forms.get('totp') #Comprobamos que el usuario exista y que la contraseña introducida sea la correcta. user = get_user(nickname) if (not check_password(nickname, password) or not op.valid_totp(token=totp, secret=user['seed'])): result = "Usuario o contrase~na incorrectos" else: user = get_user(nickname) result = "Bienvenido " + user['name'] return template('result.tpl', msg=result)
def login(): if request.method=="POST": # GEt form fields username = request.form['username'] password_candidate = request.form['password'] if request.form.get('2FA_chekbox') != None: token_candidate = request.form['token'] else: token_candidate = None result = Rootdb.query.filter_by(username = username).first() or 0 if result: password = result.password token = result.secret if token_candidate != None and token!='None': condition = onetimepass.valid_totp(token_candidate, token) elif token!='None' and token_candidate == None: condition = False elif token_candidate != None and token == 'None': condition = False else: condition = True #app.logger.info(token) #Compare the password if sha256_crypt.verify(password_candidate,password) and condition: #app.logger.info("Password Matched") session['logged_in'] = True session['Name'] = result.name session['username'] = result.username flash("You are now logged in",'success') try: return redirect(url_for(session['faild_page'])) except: return redirect(url_for('dashboard')) else: error = "Invalid Credentials" return render_template('login.html', error=error) #app.logger.info("Password Does not Match",error=error) else: error = "Username not found" return render_template('login.html',error=error) #app.logger.info("No User",error=error) return render_template('login.html')
def authenticate(self, username=None, password=None, secureKey=None): """ Authenticate a user based onu sername, password and secureKey. """ try: User = get_user_model() user = User.objects.get(username=username) if user.check_password(password): my_secret = user.get_key() if( otp.valid_totp(token=secureKey, secret=my_secret) ): return user return None except User.DoesNotExist: return None return None
def verify_password(username, password): if "expire_at" in session: if dt.datetime.strptime( session.get("expire_at"), "%Y-%m-%dT%H:%M:%S.%fZ") <= dt.datetime.utcnow(): session.clear() return False else: return True check = onetimepass.valid_totp(password, app.config['TOTP_SECRET']) if check: session["auth"] = "totp" session["expire_at"] = (dt.datetime.utcnow() + dt.timedelta(hours=24)).isoformat() + "Z" session["domain"] = request.host return check
def validate_token(token, user=None): """ Validates the given token. :param string token: :return bool: """ if user is None: user = api.user.get_current() secret = get_secret(user) # logger.debug('secret: {0}'.format(secret)) validation_result = valid_totp(token=token, secret=secret) return validation_result
def test_validating_totp_with_a_window(self): """ validate if a totp token falls within a certain window """ secret = b'MFRGGZDFMZTWQ2LK' totp = get_totp(secret=secret, clock=(int(time.time()-30))) self.assertFalse(valid_totp(totp,secret)) self.assertTrue(valid_totp(totp,secret,window=1)) totp = get_totp(secret=secret, clock=(int(time.time()+30))) self.assertFalse(valid_totp(totp,secret)) self.assertTrue(valid_totp(totp,secret,window=1)) totp = get_totp(secret=secret, clock=(int(time.time()-59))) self.assertFalse(valid_totp(totp,secret)) self.assertFalse(valid_totp(totp,secret,window=1)) self.assertTrue(valid_totp(totp,secret,window=2))
def test_validating_totp_with_a_window(self): """ validate if a totp token falls within a certain window """ secret = b'MFRGGZDFMZTWQ2LK' with timecop.freeze(time.time()): totp = get_totp(secret=secret, clock=(int(time.time() - 30))) self.assertFalse(valid_totp(totp, secret)) self.assertTrue(valid_totp(totp, secret, window=1)) totp = get_totp(secret=secret, clock=(int(time.time() + 30))) self.assertFalse(valid_totp(totp, secret)) self.assertTrue(valid_totp(totp, secret, window=1)) totp = get_totp(secret=secret, clock=(int(time.time() - 60))) self.assertFalse(valid_totp(totp, secret)) self.assertFalse(valid_totp(totp, secret, window=1)) self.assertTrue(valid_totp(totp, secret, window=2))
def code(): if not session.get('pass', False): flash('Password must be entered.') return redirect(url_for('index')) if request.method == 'GET': return render_template('code.html') token = request.form.get('code', '') if USE_DEVICE_COMMUNICATION: valid = validate_totp_with_arduino(token) else: valid = otp.valid_totp(token=token, secret=TOTP_SECRET_ENCODED) if valid: session['code'] = True return redirect(url_for('secret')) flash('Invalid code') return redirect(url_for('code'))
def verify_mfa_code(): if request.method == "POST": # 获取json数据 code = json.loads(request.get_data())["code"].strip() user = User.query.filter_by(username=session.get("username")).first() if len(code) > 0: if totp.valid_totp(secret=user.secret, token=code): session["userid"] = user.id log = Loginlog(user.id, request.remote_addr) log.mfa_status = True db.session.add(log) db.session.commit() return jsonify({ "code": 0, "msg": "登录成功", "redirect": url_for("admin.index") }) else: return jsonify({"code": 1, "msg": "动态口令无效"}) else: return jsonify({"code": 2, "msg": "动态口令必填"})
def login(): if request.method == "GET": return render_template('login.html') if request.method == "POST": if 'login' in request.form and 'code' in request.form: login = request.form["login"] try: code = int(request.form["code"]) except: flash("Forbidden.", "danger") return redirect(request.referrer, code=302) try: user = User.get(User.login == login) except User.DoesNotExist: flash("Forbidden.", "danger") return redirect(request.referrer, code=302) if otp.valid_totp(token=code, secret=user.secret, window=0) or valid_emergency(user, code): sid = str(uuid.uuid4()) resp = make_response(redirect(request.referrer, code=302)) try: user.sid = sid user.save() resp.set_cookie('x-factor-sid', sid, httponly=True) except Exception, e: print "Unexpected error: %s" % e return resp else: flash("Forbidden.", "danger") return redirect(request.referrer, code=302) else: flash("Forbidden.", "danger") return redirect(request.referrer, code=302)
def check_2fa(data, token): if 'secret' not in data: secret = base64.b32encode(os.urandom(10)).decode('utf-8') ApiAccess.get_skynet_db().users.update_one( {'username': data['username'].upper()}, {'$set': { 'secret': secret, '2fa_active': False }}) return { 'status': LoginStates.active_2fa.value, 'qr_code': 'otpauth://totp/Skynet:{}?secret={}&issuer=Skynet' \ .format(data['username'], secret)} is_token_valid = onetimepass.valid_totp(token, data['secret']) if not is_token_valid: return { 'status': LoginStates.active_2fa.value, 'qr_code': 'otpauth://totp/Skynet:{}?secret={}&issuer=Skynet' \ .format(data['username'], data['secret'])} if not data['2fa_active'] \ else {'status': LoginStates.fail.value} return None
def verify_totp(): userid = session['userid'] if user_dal.check_disabled_user_by_id(userid) == True: return render_template( 'login.html', error= 'This account has been disable due to many failure on login or verify token' ) token = request.form['token'] otp_secret = session['user']['otp_secret'] if token is None: return render_template('verify-token.html', error='Token is empty') verify = onetimepass.valid_totp(token, otp_secret) if verify == True: username = session['user']['username'] session['verified'] = True user_dal.increase_number_of_failure(username, 0) return redirect(url_for('main')) else: username = session['user']['username'] user_dal.increase_number_of_failure(username, 1) return render_template('verify-token.html', error='Failed to verify token')
def verify_totp(self, token): return onetimepass.valid_totp(token, self.otp_secret)
def verify_totp(self, token): print self print "SECRET", self.otp_secret return onetimepass.valid_totp(token, self.otp_secret)
def verify_onetimepass(self, token): if not self.password_hash: return None return valid_totp(token, self.onetime_secret)
def verify_otp(self, otp): return onetimepass.valid_totp(token=otp, secret=self.otp_secret)
def valid_otp(passwd,chat_id): my_secret = base64.b32encode(str(chat_id)) #my_secret = 'MFRGGZDFxMZTWQ2LK' got_token = passwd # should be probably from some user's input is_valid = otp.valid_totp(token=got_token, secret=my_secret, interval_length= 300) return is_valid
def alive_token(user_name, totp_token): totp_secret = dao_user.get_user_secret(user_name) token_valid = otp.valid_totp(totp_token, totp_secret) return token_valid