def mfa_cancel(): if not current_user.enable_otp: flash("you don't have MFA enabled", "warning") return redirect(url_for("dashboard.index")) otp_token_form = OtpTokenForm() totp = pyotp.TOTP(current_user.otp_secret) if otp_token_form.validate_on_submit(): token = otp_token_form.token.data if totp.verify(token): current_user.enable_otp = False current_user.otp_secret = None db.session.commit() # user does not have any 2FA enabled left, delete all recovery codes if not current_user.two_factor_authentication_enabled(): RecoveryCode.empty(current_user) flash("MFA is now disabled", "warning") return redirect(url_for("dashboard.index")) else: flash("Incorrect token", "warning") return render_template("dashboard/mfa_cancel.html", otp_token_form=otp_token_form)
def mfa_cancel(): if not current_user.enable_otp: flash("you don't have MFA enabled", "warning") return redirect(url_for("dashboard.index")) # user cancels TOTP if request.method == "POST": current_user.enable_otp = False current_user.otp_secret = None db.session.commit() # user does not have any 2FA enabled left, delete all recovery codes if not current_user.two_factor_authentication_enabled(): RecoveryCode.empty(current_user) flash("TOTP is now disabled", "warning") return redirect(url_for("dashboard.index")) return render_template("dashboard/mfa_cancel.html")
def recovery_code_route(): if not current_user.two_factor_authentication_enabled(): flash("you need to enable either TOTP or WebAuthn", "warning") return redirect(url_for("dashboard.index")) recovery_codes = RecoveryCode.filter_by(user_id=current_user.id).all() if request.method == "GET" and not recovery_codes: # user arrives at this page for the first time LOG.d("%s has no recovery keys, generate", current_user) RecoveryCode.generate(current_user) recovery_codes = RecoveryCode.filter_by(user_id=current_user.id).all() if request.method == "POST": RecoveryCode.generate(current_user) flash("New recovery codes generated", "success") return redirect(url_for("dashboard.recovery_code_route")) return render_template("dashboard/recovery_code.html", recovery_codes=recovery_codes)
def fido_manage(): if not current_user.fido_enabled(): flash("You haven't registered a security key", "warning") return redirect(url_for("dashboard.index")) fido_manage_form = FidoManageForm() if fido_manage_form.validate_on_submit(): credential_id = fido_manage_form.credential_id.data fido_key = Fido.get_by(uuid=current_user.fido_uuid, credential_id=credential_id) if not fido_key: flash("Unknown error, redirect back to manage page", "warning") return redirect(url_for("dashboard.fido_manage")) Fido.delete(fido_key.id) Session.commit() LOG.d(f"FIDO Key ID={fido_key.id} Removed") flash(f"Key {fido_key.name} successfully unlinked", "success") # Disable FIDO for the user if all keys have been deleted if not Fido.filter_by(uuid=current_user.fido_uuid).all(): current_user.fido_uuid = None Session.commit() # user does not have any 2FA enabled left, delete all recovery codes if not current_user.two_factor_authentication_enabled(): RecoveryCode.empty(current_user) return redirect(url_for("dashboard.index")) return redirect(url_for("dashboard.fido_manage")) return render_template( "dashboard/fido_manage.html", fido_manage_form=fido_manage_form, keys=Fido.filter_by(uuid=current_user.fido_uuid), )