def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
if not user:
LOGGER.debug("No pending user, continuing")
return self.executor.stage_ok()
# Currently, this stage only supports one device per user. If the user already
# has a device, just skip to the next stage
if StaticDevice.objects.filter(user=user).exists():
return self.executor.stage_ok()
stage: AuthenticatorStaticStage = self.executor.current_stage
if SESSION_STATIC_DEVICE not in self.request.session:
device = StaticDevice(user=user,
confirmed=True,
name="Static Token")
tokens = []
for _ in range(0, stage.token_count):
tokens.append(
StaticToken(device=device,
token=StaticToken.random_token()))
self.request.session[SESSION_STATIC_DEVICE] = device
self.request.session[SESSION_STATIC_TOKENS] = tokens
return super().get(request, *args, **kwargs)
def save(self, *args, **kwargs):
instance, created = self.request.user.staticdevice_set.get_or_create(
defaults={'name': self.plugin.name})
instance.token_set.all().delete()
for i in range(self.token_amount):
instance.token_set.create(token=StaticToken.random_token())
return instance
def post(self, request, *args, **kwargs):
static_device, _ = request.user.staticdevice_set.get_or_create(
name='backup')
static_device.token_set.all().delete()
for _ in range(3):
static_device.token_set.create(token=StaticToken.random_token())
return self.get(request, *args, **kwargs)
def tfa_setup_check(self, request):
"""Check TFA setup."""
serializer = core_v1_serializers.CheckTFASetupSerializer(
data=request.data, context={"user": request.user})
serializer.is_valid(raise_exception=True)
# create static device for recovery purposes
device = StaticDevice.objects.create(
user=request.user,
name="{} static device".format(request.user)
)
tokens = []
for cpt in range(10):
token = StaticToken.random_token()
device.token_set.create(token=token)
tokens.append(token)
# Set enable flag to True so we can't go here anymore
request.user.tfa_enabled = True
request.user.save()
# Generate new tokens
device = request.user.totpdevice_set.first()
refresh = RefreshToken.for_user(request.user)
refresh[constants.TFA_DEVICE_TOKEN_KEY] = device.persistent_id
return response.Response({
"tokens": tokens,
"refresh": str(refresh),
"access": str(refresh.access_token)
})
def done(self, form_list, **kwargs):
user = self.get_user()
login(self.request, user)
if not self.request.user.info.registration_finished:
# If the user has not finished registration yet, redirect them there to finish it now.
redirect_to = reverse('register')
else:
redirect_to = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name, ''))
if not is_safe_url(url=redirect_to, host=self.request.get_host()):
redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
device = getattr(user, 'otp_device', None)
if device:
if isinstance(device, StaticDevice):
# User logged in using a static backup code, refresh it with a new one.
device.token_set.create(token=StaticToken.random_token())
signals.user_verified.send(sender=__name__,
request=self.request,
user=user,
device=device)
# Track login type in Segment.
analytics.track(user.id, 'user-login', {
'login_type': 'Traditional',
})
return redirect(redirect_to)
def done(self, form_list, **kwargs):
user = self.get_user()
login(self.request, user)
if not self.request.user.info.registration_finished:
# If the user has not finished registration yet, redirect them there to finish it now.
redirect_to = reverse('register')
else:
redirect_to = self.request.POST.get(
self.redirect_field_name,
self.request.GET.get(self.redirect_field_name, '')
)
if not is_safe_url(url=redirect_to, host=self.request.get_host()):
redirect_to = resolve_url(settings.LOGIN_REDIRECT_URL)
device = getattr(user, 'otp_device', None)
if device:
if isinstance(device, StaticDevice):
# User logged in using a static backup code, refresh it with a new one.
device.token_set.create(token=StaticToken.random_token())
signals.user_verified.send(
sender=__name__,
request=self.request,
user=user,
device=device
)
# Track login type in Segment.
analytics.track(user.id, 'user-login', {
'login_type': 'Traditional',
})
return redirect(redirect_to)
def post(self, request, *args, **kwargs):
static_device, _ = request.user.staticdevice_set.get_or_create(
name='backup'
)
static_device.token_set.all().delete()
for _ in range(10):
static_device.token_set.create(token=StaticToken.random_token())
return self.get(request, *args, **kwargs)
def done(self, form_list, **kwargs):
device = getattr(self.get_user(), 'otp_device', None)
if isinstance(device, StaticDevice):
# User logged in using a static backup code, refresh it with a new one.
device.token_set.create(token=StaticToken.random_token())
return super(TwoFactorLoginView, self).done(form_list, **kwargs)
def backup_token(self):
if Domain.get_by_name(self.request.domain).two_factor_auth:
device = self.editable_user.get_django_user().staticdevice_set.get_or_create(name='backup')[0]
token = device.token_set.first()
if token:
return device.token_set.first().token
else:
return device.token_set.create(token=StaticToken.random_token()).token
return None
def done(self, form_list, **kwargs):
device = self.request.user.staticdevice_set.get_or_create(name='backup')[0]
device.token_set.all().delete()
for n in range(self.number_of_tokens):
device.token_set.create(token=StaticToken.random_token())
messages.success(self.request, 'You have successfully setup two factor authentication!')
return super(TwoFactorSetupView, self).done(form_list, **kwargs)
def backup_token(self):
if Domain.get_by_name(self.request.domain).two_factor_auth:
device = self.editable_user.get_django_user().staticdevice_set.get_or_create(name='backup')[0]
token = device.token_set.first()
if token:
return device.token_set.first().token
else:
return device.token_set.create(token=StaticToken.random_token()).token
return None
def done(self, form_list, **kwargs):
device = self.request.user.staticdevice_set.get_or_create(name='backup')[0]
device.token_set.all().delete()
for n in range(self.number_of_tokens):
device.token_set.create(token=StaticToken.random_token())
messages.success(self.request, 'You have successfully set up two factor authentication!')
return super(TwoFactorSetupView, self).done(form_list, **kwargs)
def form_valid(self, form):
"""
Delete existing backup codes and generate new ones.
"""
device = self.get_device()
device.token_set.all().delete()
for n in range(self.number_of_tokens):
device.token_set.create(token=StaticToken.random_token())
return redirect(self.redirect_url)
def form_valid(self, form):
"""
Delete existing backup codes and generate new ones.
"""
device = self.get_device()
device.token_set.all().delete()
for n in range(self.number_of_tokens):
device.token_set.create(token=StaticToken.random_token())
return redirect(self.success_url)
def form_valid(self, form):
"""
Delete existing backup codes and generate new ones.
"""
device = self.get_device()
device.token_set.all().delete()
for n in range(10):
device.token_set.create(token=StaticToken.random_token())
return redirect('two_factor:backup_tokens')
def tfa_reset_codes(self, request, *args, **kwargs):
"""Reset recovery codes."""
device = request.user.staticdevice_set.first()
if device is None:
return response.Response(status=403)
device.token_set.all().delete()
for cpt in range(10):
token = StaticToken.random_token()
device.token_set.create(token=token)
return response.Response(
{"tokens": device.token_set.all().values_list("token", flat=True)})
def _recreate_backup_codes(user):
"""Creates 10 new backup codes for a user, deletes all previous backup codes."""
devices = get_user_static_device(user)
if devices:
devices.token_set.all().delete()
else:
devices = StaticDevice.objects.create(user=user,
name="Static_Security_Codes")
for n in range(settings.BACKUP_CODES_COUNT):
security_code = StaticToken.random_token()
devices.token_set.create(token=security_code)
def regenerate_tokens(self, request):
number_of_tokens = 10
token_list = []
device = request.user.staticdevice_set.get_or_create(name='backup')[0]
device.token_set.all().delete()
for n in range(number_of_tokens):
token = device.token_set.create(token=StaticToken.random_token())
token_list.append(token.token)
return Response(token_list, status=status.HTTP_201_CREATED)
def regenerate_tokens(self, request):
number_of_tokens = 10
token_list = []
device = request.user.staticdevice_set.get_or_create(name='backup')[0]
device.token_set.all().delete()
for n in range(number_of_tokens):
token = device.token_set.create(token=StaticToken.random_token())
token_list.append(token.token)
return Response(token_list, status=status.HTTP_201_CREATED)
def handle(self, *args, **options):
if len(args) != 1:
raise CommandError('Please specify exactly one username.')
username = args[0]
try:
user = get_user_model().objects.get_by_natural_key(username)
except ObjectDoesNotExist:
raise CommandError('User "{0}" does not exist.'.format(username))
device = next(StaticDevice.objects.filter(user=user).iterator(), None)
if device is None:
device = StaticDevice.objects.create(user=user, name='Backup Code')
token = options.get('token')
if token is None:
token = StaticToken.random_token()
device.token_set.add(StaticToken(token=token))
print(token, file=self.stdout)
def form_valid(self, form):
"""
Delete existing backup codes and generate new ones.
"""
device = self.get_device()
device.token_set.all().delete()
for n in range(self.number_of_tokens):
device.token_set.create(token=StaticToken.random_token())
return TemplateResponse(self.request, 'security_pages.html', {
'form': form,
'tokens': device.token_set.all()
})
def get(self, request, format=None):
device = get_user_static_device(self, request.user)
if not device:
device = StaticDevice.objects.create(user=request.user, name="Static")
device.token_set.all().delete()
tokens = []
for n in range(self.number_of_static_tokens):
token = StaticToken.random_token()
device.token_set.create(token=token)
tokens.append(token)
return Response(tokens, status=status.HTTP_201_CREATED)
def post(self, request, *args, **kwargs):
form = self.form_class(data=request.POST, user=request.user)
context = {"form": form}
if form.is_valid():
# Delete the existing tokens and generate some new ones
device = self.get_device()
device.token_set.all().delete()
for n in range(self.number_of_tokens):
device.token_set.create(token=StaticToken.random_token())
context["device"] = device
return render(request, self.template_name, context)
def tfa_setup_check(self, request):
"""Check TFA setup."""
serializer = serializers.CheckTFASetupSerializer(
data=request.data, context={"user": request.user})
serializer.is_valid(raise_exception=True)
# create static device for recovery purposes
device = StaticDevice.objects.create(user=request.user,
name="{} static device".format(
request.user))
for cpt in range(10):
token = StaticToken.random_token()
device.token_set.create(token=token)
django_otp.login(self.request, request.user.totpdevice_set.first())
return response.Response()
def save(self, user):
static_device = StaticDevice(name=self.cleaned_data["name"], user=user)
static_device.save()
for i in range(10):
code = StaticToken(token=StaticToken.random_token().upper())
code.device = static_device
code.save()
return static_device
def handle(self, *args, **options):
if len(args) != 1:
raise CommandError('Please specify exactly one username.')
username = args[0]
try:
user = get_user_model().objects.get_by_natural_key(username)
except ObjectDoesNotExist:
raise CommandError('User "{0}" does not exist.'.format(username))
device = next(StaticDevice.objects.filter(user=user).iterator(), None)
if device is None:
device = StaticDevice.objects.create(user=user, name='Backup Code')
token = options.get('token')
if token is None:
token = StaticToken.random_token()
device.token_set.add(StaticToken(token=token))
print(token, file=self.stdout)
