def webauthn_authentication_validate(request):
if request.authenticated_userid is not None:
return {"fail": {"errors": ["Already authenticated"]}}
try:
two_factor_data = _get_two_factor_data(request)
except TokenException:
request.session.flash(
request._("Invalid or expired two factor login."), queue="error")
return {
"fail": {
"errors": [request._("Invalid or expired two factor login.")]
}
}
redirect_to = two_factor_data.get("redirect_to")
userid = two_factor_data.get("userid")
user_service = request.find_service(IUserService, context=None)
form = WebAuthnAuthenticationForm(
**request.POST,
request=request,
user_id=userid,
user_service=user_service,
challenge=request.session.get_webauthn_challenge(),
origin=request.host_url,
rp_id=request.domain,
)
request.session.clear_webauthn_challenge()
if form.validate():
webauthn = user_service.get_webauthn_by_credential_id(
userid,
bytes_to_base64url(form.validated_credential.credential_id))
webauthn.sign_count = form.validated_credential.new_sign_count
_login_user(
request,
userid,
two_factor_method="webauthn",
two_factor_label=webauthn.label,
)
request.response.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(str(userid).encode("ascii"),
person=b"warehouse.userid").hexdigest().lower(),
)
if not request.user.has_recovery_codes:
send_recovery_code_reminder_email(request, request.user)
return {
"success": request._("Successful WebAuthn assertion"),
"redirect_to": redirect_to,
}
errors = [str(error) for error in form.credential.errors]
return {"fail": {"errors": errors}}
def webauthn_authentication_validate(request):
if request.authenticated_userid is not None:
return {"fail": {"errors": ["Already authenticated"]}}
try:
two_factor_data = _get_two_factor_data(request)
except TokenException:
request.session.flash("Invalid or expired two factor login.",
queue="error")
return {"fail": {"errors": ["Invalid two factor token"]}}
redirect_to = two_factor_data.get("redirect_to")
userid = two_factor_data.get("userid")
user_service = request.find_service(IUserService, context=None)
form = WebAuthnAuthenticationForm(
**request.POST,
user_id=userid,
user_service=user_service,
challenge=request.session.get_webauthn_challenge(),
origin=request.host_url,
icon_url=request.registry.settings.get("warehouse.domain",
request.domain),
rp_id=request.domain,
)
request.session.clear_webauthn_challenge()
if form.validate():
credential_id, sign_count = form.validated_credential
webauthn = user_service.get_webauthn_by_credential_id(
userid, credential_id)
webauthn.sign_count = sign_count
_login_user(request, userid)
request.response.set_cookie(
USER_ID_INSECURE_COOKIE,
hashlib.blake2b(str(userid).encode("ascii"),
person=b"warehouse.userid").hexdigest().lower(),
)
return {
"success": "Successful WebAuthn assertion",
"redirect_to": redirect_to
}
errors = [str(error) for error in form.credential.errors]
return {"fail": {"errors": errors}}