Esempio n. 1
0
    def enroll(self, request, interface, insecure=False):
        stage = request.POST.get("stage") or "initial"

        totp_secret = request.POST.get("totp_secret")
        if totp_secret is not None:
            interface.secret = totp_secret

        phone_number = request.POST.get("phone_number")
        if phone_number is not None:
            interface.phone_number = phone_number

        sms_form = SmsForm()
        otp_form = TwoFactorForm()

        if stage == "pick_number":
            sms_form = SmsForm(request.POST)
            if sms_form.is_valid():
                interface.send_text(for_enrollment=True, request=request)
                stage = "confirm"
        elif stage == "confirm":
            otp_form = TwoFactorForm(request.POST)
            if otp_form.is_valid() and interface.validate_otp(otp_form.cleaned_data["otp"]):
                return TwoFactorSettingsView.enroll(self, request, interface)
            else:
                otp_form.errors["__all__"] = ["Invalid confirmation code."]

        context = self.make_context(request, interface)
        context["sms_form"] = sms_form
        context["otp_form"] = otp_form
        context["stage"] = stage
        return render_to_response("sentry/account/twofactor/enroll_sms.html", context, request)
Esempio n. 2
0
    def enroll(self, request, interface, insecure=False):
        stage = request.POST.get('stage') or 'initial'

        totp_secret = request.POST.get('totp_secret')
        if totp_secret is not None:
            interface.secret = totp_secret

        phone_number = request.POST.get('phone_number')
        if phone_number is not None:
            interface.phone_number = phone_number

        sms_form = SmsForm()
        otp_form = TwoFactorForm()

        if stage == 'pick_number':
            sms_form = SmsForm(request.POST)
            if sms_form.is_valid():
                interface.send_text(for_enrollment=True, request=request)
                stage = 'confirm'
        elif stage == 'confirm':
            otp_form = TwoFactorForm(request.POST)
            if otp_form.is_valid() and interface.validate_otp(
                    otp_form.cleaned_data['otp']):
                return TwoFactorSettingsView.enroll(self, request, interface)
            else:
                otp_form.errors['__all__'] = ['Invalid confirmation code.']

        context = self.make_context(request, interface)
        context['sms_form'] = sms_form
        context['otp_form'] = otp_form
        context['stage'] = stage
        return render_to_response('sentry/account/twofactor/enroll_sms.html',
                                  context, request)
    def enroll(self, request, interface, insecure=False):
        totp_secret = request.POST.get('totp_secret')
        if totp_secret is not None:
            interface.secret = totp_secret

        if 'otp' in request.POST:
            form = TwoFactorForm(request.POST)
            password_form = ConfirmPasswordForm(request.user, request.POST)
            if 'password' in password_form.fields:
                if password_form.is_valid():
                    if form.is_valid() and interface.validate_otp(
                            form.cleaned_data['otp']):
                        return TwoFactorSettingsView.enroll(self, request, interface)
                    else:
                        form.errors['__all__'] = ['Invalid confirmation code.']
                else:
                    form.errors['__all__'] = ['Invalid password.']
            else:
                if form.is_valid() and interface.validate_otp(
                        form.cleaned_data['otp']):
                    return TwoFactorSettingsView.enroll(self, request, interface)
                else:
                    form.errors['__all__'] = ['Invalid confirmation code.']

        else:
            form = TwoFactorForm()
            password_form = ConfirmPasswordForm(request.user)

        context = self.make_context(request, interface)
        context['otp_form'] = form
        context['password_form'] = password_form
        context['provision_qrcode'] = interface.get_provision_qrcode(
            request.user.email)
        return render_to_response('sentry/account/twofactor/enroll_totp.html',
                                  context, request)
Esempio n. 4
0
    def enroll(self, request, interface, insecure=False):
        totp_secret = request.POST.get('totp_secret')
        if totp_secret is not None:
            interface.secret = totp_secret

        if 'otp' in request.POST:
            form = TwoFactorForm(request.POST)
            password_form = ConfirmPasswordForm(request.user, request.POST)
            if 'password' in password_form.fields and password_form.is_valid():
                if request.user.check_password(password_form.cleaned_data['password']):
                    if form.is_valid() and interface.validate_otp(
                            form.cleaned_data['otp']):
                        return TwoFactorSettingsView.enroll(self, request, interface)
                    else:
                        form.errors['__all__'] = ['Invalid confirmation code.']
                else:
                    form.errors['__all__'] = ['Invalid password.']
            else:
                if form.is_valid() and interface.validate_otp(
                        form.cleaned_data['otp']):
                    return TwoFactorSettingsView.enroll(self, request, interface)
                else:
                    form.errors['__all__'] = ['Invalid confirmation code.']

        else:
            form = TwoFactorForm()
            password_form = ConfirmPasswordForm(request.user)

        context = self.make_context(request, interface)
        context['otp_form'] = form
        context['password_form'] = password_form
        context['provision_qrcode'] = interface.get_provision_qrcode(
            request.user.email)
        return render_to_response('sentry/account/twofactor/enroll_totp.html',
                                  context, request)
Esempio n. 5
0
    def enroll(self, request, interface, insecure=False):
        totp_secret = request.POST.get("totp_secret")
        if totp_secret is not None:
            interface.secret = totp_secret

        if "otp" in request.POST:
            form = TwoFactorForm(request.POST)
            if form.is_valid() and interface.validate_otp(form.cleaned_data["otp"]):
                return TwoFactorSettingsView.enroll(self, request, interface)
            else:
                form.errors["__all__"] = ["Invalid confirmation code."]
        else:
            form = TwoFactorForm()

        context = self.make_context(request, interface)
        context["otp_form"] = form
        context["provision_qrcode"] = interface.get_provision_qrcode(request.user.email)
        return render_to_response("sentry/account/twofactor/enroll_totp.html", context, request)
Esempio n. 6
0
    def handle(self, request):
        user = auth.get_pending_2fa_user(request)
        if user is None or request.user.is_authenticated():
            return HttpResponseRedirect(reverse('sentry'))

        interfaces = Authenticator.objects.all_interfaces_for_user(user)

        # If for whatever reason we ended up here but the user has no 2FA
        # enabled, we just continue successfully.
        if not interfaces:
            return self.perform_signin(request, user)

        challenge = activation = None
        interface = self.negotiate_interface(request, interfaces)
        if request.method == 'GET':
            activation = interface.activate(request)
            if activation is not None and activation.type == 'challenge':
                challenge = activation.challenge
        elif 'challenge' in request.POST:
            challenge = json.loads(request.POST['challenge'])

        form = TwoFactorForm()

        # If an OTP response was supplied, we try to make it pass.
        otp = request.POST.get('otp')
        if otp:
            used_interface = self.validate_otp(otp, interface, interfaces)
            if used_interface is not None:
                return self.perform_signin(request, user, used_interface)
            self.fail_signin(request, user, form)

        # If a challenge and response exists, validate
        if challenge:
            response = request.POST.get('response')
            if response:
                response = json.loads(response)
                if interface.validate_response(request, challenge, response):
                    return self.perform_signin(request, user, interface)
                self.fail_signin(request, user, form)

        return render_to_response(
            [
                'sentry/twofactor_%s.html' % interface.interface_id,
                'sentry/twofactor.html'
            ], {
                'form':
                form,
                'interface':
                interface,
                'other_interfaces':
                self.get_other_interfaces(interface, interfaces),
                'activation':
                activation,
            },
            request,
            status=200)
Esempio n. 7
0
    def enroll(self, request, interface, insecure=False):
        stage = request.POST.get('stage') or 'initial'

        totp_secret = request.POST.get('totp_secret')
        if totp_secret is not None:
            interface.secret = totp_secret

        phone_number = request.POST.get('phone_number')
        if phone_number is not None:
            interface.phone_number = phone_number

        sms_form = SmsForm()
        otp_form = TwoFactorForm()

        if stage == 'pick_number':
            sms_form = SmsForm(request.POST)
            if sms_form.is_valid():
                interface.send_text(for_enrollment=True, request=request)
                stage = 'confirm'
        elif stage == 'confirm':
            otp_form = TwoFactorForm(request.POST)
            if otp_form.is_valid() and interface.validate_otp(
                    otp_form.cleaned_data['otp']):
                return TwoFactorSettingsView.enroll(self, request, interface)
            else:
                otp_form.errors['__all__'] = ['Invalid confirmation code.']

        context = self.make_context(request, interface)
        context['sms_form'] = sms_form
        context['otp_form'] = otp_form
        context['stage'] = stage
        return render_to_response('sentry/account/twofactor/enroll_sms.html',
                                  context, request)
Esempio n. 8
0
    def handle(self, request: Request) -> Response:
        user = auth.get_pending_2fa_user(request)
        if user is None:
            return HttpResponseRedirect(auth.get_login_url())

        interfaces = Authenticator.objects.all_interfaces_for_user(user)

        # If for whatever reason we ended up here but the user has no 2FA
        # enabled, we just continue successfully.
        if not interfaces:
            return self.perform_signin(request, user)

        challenge = activation = None
        interface = self.negotiate_interface(request, interfaces)

        if request.method == "POST" and ratelimiter.is_limited(
                f"auth-2fa:user:{user.id}", limit=5, window=60):
            # TODO: Maybe email the account owner or do something to notify someone
            # This would probably be good for them to know.
            return HttpResponse(
                "You have made too many 2FA attempts. Please try again later.",
                content_type="text/plain",
                status=429,
            )
        # check if webauthn-login feature flag is enabled for frontend
        webauthn_signin_ff = self._check_can_webauthn_signin(
            user, request.user)

        if request.method == "GET":
            if interface.type == U2fInterface.type:
                activation = interface.activate(request, webauthn_signin_ff)
            else:
                activation = interface.activate(request)

            if activation is not None and activation.type == "challenge":
                challenge = activation.challenge

                if webauthn_signin_ff and interface.type == U2fInterface.type:
                    activation.challenge = {}
                    activation.challenge[
                        "webAuthnAuthenticationData"] = b64encode(challenge)

        elif "challenge" in request.POST:
            challenge = json.loads(request.POST["challenge"])
        form = TwoFactorForm()

        # If an OTP response was supplied, we try to make it pass.
        otp = request.POST.get("otp")
        if otp:
            used_interface = self.validate_otp(otp, interface, interfaces)
            if used_interface is not None:
                return self.perform_signin(request, user, used_interface)
            self.fail_signin(request, user, form)

        #  If a challenge and response exists, validate
        if challenge:
            response = request.POST.get("response")
            if response:
                response = json.loads(response)
                if interface.validate_response(request, challenge, response,
                                               webauthn_signin_ff):
                    return self.perform_signin(request, user, interface)
                self.fail_signin(request, user, form)

        return render_to_response(
            [
                "sentry/twofactor_%s.html" % interface.interface_id,
                "sentry/twofactor.html"
            ],
            {
                "form":
                form,
                "interface":
                interface,
                "other_interfaces":
                self.get_other_interfaces(interface, interfaces),
                "activation":
                activation,
                "isWebauthnSigninFFEnabled":
                webauthn_signin_ff,
            },
            request,
            status=200,
        )
    def handle(self, request):
        user = auth.get_pending_2fa_user(request)
        if user is None:
            return HttpResponseRedirect(auth.get_login_url())

        interfaces = Authenticator.objects.all_interfaces_for_user(user)

        # If for whatever reason we ended up here but the user has no 2FA
        # enabled, we just continue successfully.
        if not interfaces:
            return self.perform_signin(request, user)

        challenge = activation = None
        interface = self.negotiate_interface(request, interfaces)

        if request.method == 'POST' and ratelimiter.is_limited(
            u'auth-2fa:user:{}'.format(user.id),
            limit=5,
            window=60,
        ):
            # TODO: Maybe email the account owner or do something to notify someone
            # This would probably be good for them to know.
            return HttpResponse(
                'You have made too many 2FA attempts. Please try again later.',
                content_type='text/plain',
                status=429,
            )

        if request.method == 'GET':
            activation = interface.activate(request)
            if activation is not None and activation.type == 'challenge':
                challenge = activation.challenge
        elif 'challenge' in request.POST:
            challenge = json.loads(request.POST['challenge'])

        form = TwoFactorForm()

        # If an OTP response was supplied, we try to make it pass.
        otp = request.POST.get('otp')
        if otp:
            used_interface = self.validate_otp(otp, interface, interfaces)
            if used_interface is not None:
                return self.perform_signin(request, user, used_interface)
            self.fail_signin(request, user, form)

        # If a challenge and response exists, validate
        if challenge:
            response = request.POST.get('response')
            if response:
                response = json.loads(response)
                if interface.validate_response(request, challenge, response):
                    return self.perform_signin(request, user, interface)
                self.fail_signin(request, user, form)

        return render_to_response(
            ['sentry/twofactor_%s.html' % interface.interface_id, 'sentry/twofactor.html'], {
                'form': form,
                'interface': interface,
                'other_interfaces': self.get_other_interfaces(interface, interfaces),
                'activation': activation,
            },
            request,
            status=200
        )