def enroll(self, request, interface, insecure=False):
stage = request.POST.get("stage") or "initial"
totp_secret = request.POST.get("totp_secret")
if totp_secret is not None:
interface.secret = totp_secret
phone_number = request.POST.get("phone_number")
if phone_number is not None:
interface.phone_number = phone_number
sms_form = SmsForm()
otp_form = TwoFactorForm()
if stage == "pick_number":
sms_form = SmsForm(request.POST)
if sms_form.is_valid():
interface.send_text(for_enrollment=True, request=request)
stage = "confirm"
elif stage == "confirm":
otp_form = TwoFactorForm(request.POST)
if otp_form.is_valid() and interface.validate_otp(otp_form.cleaned_data["otp"]):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
otp_form.errors["__all__"] = ["Invalid confirmation code."]
context = self.make_context(request, interface)
context["sms_form"] = sms_form
context["otp_form"] = otp_form
context["stage"] = stage
return render_to_response("sentry/account/twofactor/enroll_sms.html", context, request)
def enroll(self, request, interface, insecure=False):
stage = request.POST.get('stage') or 'initial'
totp_secret = request.POST.get('totp_secret')
if totp_secret is not None:
interface.secret = totp_secret
phone_number = request.POST.get('phone_number')
if phone_number is not None:
interface.phone_number = phone_number
sms_form = SmsForm()
otp_form = TwoFactorForm()
if stage == 'pick_number':
sms_form = SmsForm(request.POST)
if sms_form.is_valid():
interface.send_text(for_enrollment=True, request=request)
stage = 'confirm'
elif stage == 'confirm':
otp_form = TwoFactorForm(request.POST)
if otp_form.is_valid() and interface.validate_otp(
otp_form.cleaned_data['otp']):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
otp_form.errors['__all__'] = ['Invalid confirmation code.']
context = self.make_context(request, interface)
context['sms_form'] = sms_form
context['otp_form'] = otp_form
context['stage'] = stage
return render_to_response('sentry/account/twofactor/enroll_sms.html',
context, request)
def enroll(self, request, interface, insecure=False):
totp_secret = request.POST.get('totp_secret')
if totp_secret is not None:
interface.secret = totp_secret
if 'otp' in request.POST:
form = TwoFactorForm(request.POST)
password_form = ConfirmPasswordForm(request.user, request.POST)
if 'password' in password_form.fields:
if password_form.is_valid():
if form.is_valid() and interface.validate_otp(
form.cleaned_data['otp']):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
form.errors['__all__'] = ['Invalid confirmation code.']
else:
form.errors['__all__'] = ['Invalid password.']
else:
if form.is_valid() and interface.validate_otp(
form.cleaned_data['otp']):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
form.errors['__all__'] = ['Invalid confirmation code.']
else:
form = TwoFactorForm()
password_form = ConfirmPasswordForm(request.user)
context = self.make_context(request, interface)
context['otp_form'] = form
context['password_form'] = password_form
context['provision_qrcode'] = interface.get_provision_qrcode(
request.user.email)
return render_to_response('sentry/account/twofactor/enroll_totp.html',
context, request)
def enroll(self, request, interface, insecure=False):
totp_secret = request.POST.get('totp_secret')
if totp_secret is not None:
interface.secret = totp_secret
if 'otp' in request.POST:
form = TwoFactorForm(request.POST)
password_form = ConfirmPasswordForm(request.user, request.POST)
if 'password' in password_form.fields and password_form.is_valid():
if request.user.check_password(password_form.cleaned_data['password']):
if form.is_valid() and interface.validate_otp(
form.cleaned_data['otp']):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
form.errors['__all__'] = ['Invalid confirmation code.']
else:
form.errors['__all__'] = ['Invalid password.']
else:
if form.is_valid() and interface.validate_otp(
form.cleaned_data['otp']):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
form.errors['__all__'] = ['Invalid confirmation code.']
else:
form = TwoFactorForm()
password_form = ConfirmPasswordForm(request.user)
context = self.make_context(request, interface)
context['otp_form'] = form
context['password_form'] = password_form
context['provision_qrcode'] = interface.get_provision_qrcode(
request.user.email)
return render_to_response('sentry/account/twofactor/enroll_totp.html',
context, request)
def enroll(self, request, interface, insecure=False):
totp_secret = request.POST.get("totp_secret")
if totp_secret is not None:
interface.secret = totp_secret
if "otp" in request.POST:
form = TwoFactorForm(request.POST)
if form.is_valid() and interface.validate_otp(form.cleaned_data["otp"]):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
form.errors["__all__"] = ["Invalid confirmation code."]
else:
form = TwoFactorForm()
context = self.make_context(request, interface)
context["otp_form"] = form
context["provision_qrcode"] = interface.get_provision_qrcode(request.user.email)
return render_to_response("sentry/account/twofactor/enroll_totp.html", context, request)
def handle(self, request):
user = auth.get_pending_2fa_user(request)
if user is None or request.user.is_authenticated():
return HttpResponseRedirect(reverse('sentry'))
interfaces = Authenticator.objects.all_interfaces_for_user(user)
# If for whatever reason we ended up here but the user has no 2FA
# enabled, we just continue successfully.
if not interfaces:
return self.perform_signin(request, user)
challenge = activation = None
interface = self.negotiate_interface(request, interfaces)
if request.method == 'GET':
activation = interface.activate(request)
if activation is not None and activation.type == 'challenge':
challenge = activation.challenge
elif 'challenge' in request.POST:
challenge = json.loads(request.POST['challenge'])
form = TwoFactorForm()
# If an OTP response was supplied, we try to make it pass.
otp = request.POST.get('otp')
if otp:
used_interface = self.validate_otp(otp, interface, interfaces)
if used_interface is not None:
return self.perform_signin(request, user, used_interface)
self.fail_signin(request, user, form)
# If a challenge and response exists, validate
if challenge:
response = request.POST.get('response')
if response:
response = json.loads(response)
if interface.validate_response(request, challenge, response):
return self.perform_signin(request, user, interface)
self.fail_signin(request, user, form)
return render_to_response(
[
'sentry/twofactor_%s.html' % interface.interface_id,
'sentry/twofactor.html'
], {
'form':
form,
'interface':
interface,
'other_interfaces':
self.get_other_interfaces(interface, interfaces),
'activation':
activation,
},
request,
status=200)
def enroll(self, request, interface, insecure=False):
stage = request.POST.get('stage') or 'initial'
totp_secret = request.POST.get('totp_secret')
if totp_secret is not None:
interface.secret = totp_secret
phone_number = request.POST.get('phone_number')
if phone_number is not None:
interface.phone_number = phone_number
sms_form = SmsForm()
otp_form = TwoFactorForm()
if stage == 'pick_number':
sms_form = SmsForm(request.POST)
if sms_form.is_valid():
interface.send_text(for_enrollment=True, request=request)
stage = 'confirm'
elif stage == 'confirm':
otp_form = TwoFactorForm(request.POST)
if otp_form.is_valid() and interface.validate_otp(
otp_form.cleaned_data['otp']):
return TwoFactorSettingsView.enroll(self, request, interface)
else:
otp_form.errors['__all__'] = ['Invalid confirmation code.']
context = self.make_context(request, interface)
context['sms_form'] = sms_form
context['otp_form'] = otp_form
context['stage'] = stage
return render_to_response('sentry/account/twofactor/enroll_sms.html',
context, request)
def handle(self, request: Request) -> Response:
user = auth.get_pending_2fa_user(request)
if user is None:
return HttpResponseRedirect(auth.get_login_url())
interfaces = Authenticator.objects.all_interfaces_for_user(user)
# If for whatever reason we ended up here but the user has no 2FA
# enabled, we just continue successfully.
if not interfaces:
return self.perform_signin(request, user)
challenge = activation = None
interface = self.negotiate_interface(request, interfaces)
if request.method == "POST" and ratelimiter.is_limited(
f"auth-2fa:user:{user.id}", limit=5, window=60):
# TODO: Maybe email the account owner or do something to notify someone
# This would probably be good for them to know.
return HttpResponse(
"You have made too many 2FA attempts. Please try again later.",
content_type="text/plain",
status=429,
)
# check if webauthn-login feature flag is enabled for frontend
webauthn_signin_ff = self._check_can_webauthn_signin(
user, request.user)
if request.method == "GET":
if interface.type == U2fInterface.type:
activation = interface.activate(request, webauthn_signin_ff)
else:
activation = interface.activate(request)
if activation is not None and activation.type == "challenge":
challenge = activation.challenge
if webauthn_signin_ff and interface.type == U2fInterface.type:
activation.challenge = {}
activation.challenge[
"webAuthnAuthenticationData"] = b64encode(challenge)
elif "challenge" in request.POST:
challenge = json.loads(request.POST["challenge"])
form = TwoFactorForm()
# If an OTP response was supplied, we try to make it pass.
otp = request.POST.get("otp")
if otp:
used_interface = self.validate_otp(otp, interface, interfaces)
if used_interface is not None:
return self.perform_signin(request, user, used_interface)
self.fail_signin(request, user, form)
# If a challenge and response exists, validate
if challenge:
response = request.POST.get("response")
if response:
response = json.loads(response)
if interface.validate_response(request, challenge, response,
webauthn_signin_ff):
return self.perform_signin(request, user, interface)
self.fail_signin(request, user, form)
return render_to_response(
[
"sentry/twofactor_%s.html" % interface.interface_id,
"sentry/twofactor.html"
],
{
"form":
form,
"interface":
interface,
"other_interfaces":
self.get_other_interfaces(interface, interfaces),
"activation":
activation,
"isWebauthnSigninFFEnabled":
webauthn_signin_ff,
},
request,
status=200,
)
def handle(self, request):
user = auth.get_pending_2fa_user(request)
if user is None:
return HttpResponseRedirect(auth.get_login_url())
interfaces = Authenticator.objects.all_interfaces_for_user(user)
# If for whatever reason we ended up here but the user has no 2FA
# enabled, we just continue successfully.
if not interfaces:
return self.perform_signin(request, user)
challenge = activation = None
interface = self.negotiate_interface(request, interfaces)
if request.method == 'POST' and ratelimiter.is_limited(
u'auth-2fa:user:{}'.format(user.id),
limit=5,
window=60,
):
# TODO: Maybe email the account owner or do something to notify someone
# This would probably be good for them to know.
return HttpResponse(
'You have made too many 2FA attempts. Please try again later.',
content_type='text/plain',
status=429,
)
if request.method == 'GET':
activation = interface.activate(request)
if activation is not None and activation.type == 'challenge':
challenge = activation.challenge
elif 'challenge' in request.POST:
challenge = json.loads(request.POST['challenge'])
form = TwoFactorForm()
# If an OTP response was supplied, we try to make it pass.
otp = request.POST.get('otp')
if otp:
used_interface = self.validate_otp(otp, interface, interfaces)
if used_interface is not None:
return self.perform_signin(request, user, used_interface)
self.fail_signin(request, user, form)
# If a challenge and response exists, validate
if challenge:
response = request.POST.get('response')
if response:
response = json.loads(response)
if interface.validate_response(request, challenge, response):
return self.perform_signin(request, user, interface)
self.fail_signin(request, user, form)
return render_to_response(
['sentry/twofactor_%s.html' % interface.interface_id, 'sentry/twofactor.html'], {
'form': form,
'interface': interface,
'other_interfaces': self.get_other_interfaces(interface, interfaces),
'activation': activation,
},
request,
status=200
)