app/main/views/verify.py

import json

from flask import (
    render_template,
    redirect,
    session,
    url_for,
    current_app,
    flash,
    abort
)

from itsdangerous import SignatureExpired

from flask_login import login_user

from notifications_python_client.errors import HTTPError

from app.main import main
from app.main.forms import TwoFactorForm

from app import user_api_client


@main.route('/verify', methods=['GET', 'POST'])
def verify():
    # TODO there needs to be a way to regenerate a session id
    # or handle gracefully.
    user_id = session['user_details']['id']

    def _check_code(code):
        return user_api_client.check_verify_code(user_id, code, 'sms')

    form = TwoFactorForm(_check_code)

    if form.validate_on_submit():
        try:
            user = user_api_client.get_user(user_id)
            activated_user = user_api_client.activate_user(user)
            login_user(activated_user)
            return redirect(url_for('main.add_service', first='first'))
        finally:
            session.pop('user_details', None)

    return render_template('views/two-factor.html', form=form)


@main.route('/verify-email/<token>')
def verify_email(token):
    from utils.url_safe_token import check_token
    try:
        token_data = check_token(token,
                                 current_app.config['SECRET_KEY'],
                                 current_app.config['DANGEROUS_SALT'],
                                 current_app.config['EMAIL_EXPIRY_SECONDS'])

        token_data = json.loads(token_data)
        verified = user_api_client.check_verify_code(token_data['user_id'], token_data['secret_code'], 'email')
        user = user_api_client.get_user(token_data['user_id'])
        if not user:
            abort(404)

        if user.is_active():
            flash("That verification link has expired.")
            return redirect(url_for('main.sign_in'))

        session['user_details'] = {"email": user.email_address, "id": user.id}
        if verified[0]:
            user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
            return redirect('verify')
        else:
            if verified[1] == 'Code has expired':
                flash("The link in the email we sent you has expired. We've sent you a new one.")
                return redirect(url_for('main.resend_email_verification'))
            else:
                message = "There was a problem verifying your account. Error message: '{}'".format(verified[1])
                flash(message)
                return redirect(url_for('main.index'))

    except SignatureExpired:
        flash('The link in the email we sent you has expired')
        return redirect(url_for('main.resend_email_verification'))
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`import json`

Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`from flask import (`
User registration now creates user via api. Verification flow is still to be completed. Foreign key constraint on verify codes to user table removed. 2016-01-19 22:47:42 +00:00			`render_template,`
			`redirect,`
			`session,`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`url_for,`
			`current_app,`
If user is pending it means they have not verified email yet Added better checking on re use of consumed verification link. 2016-03-29 12:13:36 +01:00			`flash,`
			`abort`
User registration now creates user via api. Verification flow is still to be completed. Foreign key constraint on verify codes to user table removed. 2016-01-19 22:47:42 +00:00			`)`
Adding logging. Raise ValidationError for validate_codes rather than returning a true or false. 2016-01-05 13:13:06 +00:00
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`from itsdangerous import SignatureExpired`

109526520: Implement verify flow When a person registers with a valid mobile number and email address, a code will be sent to each. That person can enter the verify codes and continue to the add-service page. 2015-12-07 16:08:30 +00:00			`from flask_login import login_user`
109526520: render verify template with VerifyForm 2015-12-04 16:21:01 +00:00
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`from notifications_python_client.errors import HTTPError`

109526520: Implement verify flow When a person registers with a valid mobile number and email address, a code will be sent to each. That person can enter the verify codes and continue to the add-service page. 2015-12-07 16:08:30 +00:00			`from app.main import main`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`from app.main.forms import TwoFactorForm`

			`from app import user_api_client`
109526520: render verify template with VerifyForm 2015-12-04 16:21:01 +00:00

Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`@main.route('/verify', methods=['GET', 'POST'])`
			`def verify():`
			`# TODO there needs to be a way to regenerate a session id`
Merge conflicts with master. 2016-01-05 17:24:13 +00:00			`# or handle gracefully.`
User registration now creates user via api. Verification flow is still to be completed. Foreign key constraint on verify codes to user table removed. 2016-01-19 22:47:42 +00:00			`user_id = session['user_details']['id']`

Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`def _check_code(code):`
			`return user_api_client.check_verify_code(user_id, code, 'sms')`
Only actually call api to verify code if both are present in form. 2016-03-10 14:48:33 +00:00
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`form = TwoFactorForm(_check_code)`
Change new invite registration flow to only need sms for verification. This may change again soon with story to split 2 factor pages, but for now is correct. 2016-03-11 16:36:15 +00:00
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00			`if form.validate_on_submit():`
Verify activate and login user with sms and email code 2016-01-20 15:13:15 +00:00			`try:`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`user = user_api_client.get_user(user_id)`
			`activated_user = user_api_client.activate_user(user)`
Verify activate and login user with sms and email code 2016-01-20 15:13:15 +00:00			`login_user(activated_user)`
			`return redirect(url_for('main.add_service', first='first'))`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`finally:`
Only actually call api to verify code if both are present in form. 2016-03-10 14:48:33 +00:00			`session.pop('user_details', None)`
User registration now creates user via api. Verification flow is still to be completed. Foreign key constraint on verify codes to user table removed. 2016-01-19 22:47:42 +00:00
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`return render_template('views/two-factor.html', form=form)`


			`@main.route('/verify-email/<token>')`
			`def verify_email(token):`
			`from utils.url_safe_token import check_token`
			`try:`
			`token_data = check_token(token,`
			`current_app.config['SECRET_KEY'],`
			`current_app.config['DANGEROUS_SALT'],`
			`current_app.config['EMAIL_EXPIRY_SECONDS'])`

			`token_data = json.loads(token_data)`
			`verified = user_api_client.check_verify_code(token_data['user_id'], token_data['secret_code'], 'email')`
If user is pending it means they have not verified email yet Added better checking on re use of consumed verification link. 2016-03-29 12:13:36 +01:00			`user = user_api_client.get_user(token_data['user_id'])`
			`if not user:`
			`abort(404)`

			`if user.is_active():`
Better flash message for users with active accounts who click on verification link again. 2016-03-29 13:21:51 +01:00			`flash("That verification link has expired.")`
If user is pending it means they have not verified email yet Added better checking on re use of consumed verification link. 2016-03-29 12:13:36 +01:00			`return redirect(url_for('main.sign_in'))`

			`session['user_details'] = {"email": user.email_address, "id": user.id}`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00			`if verified[0]:`
			`user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)`
			`return redirect('verify')`
			`else:`
When user clicks on verification link but doesn't complete verification, if they try to use link again the code will have been used. Therefore they will need a new email with new link to use for verification. 2016-03-22 13:38:35 +00:00			`if verified[1] == 'Code has expired':`
			`flash("The link in the email we sent you has expired. We've sent you a new one.")`
			`return redirect(url_for('main.resend_email_verification'))`
			`else:`
			`message = "There was a problem verifying your account. Error message: '{}'".format(verified[1])`
			`flash(message)`
			`return redirect(url_for('main.index'))`
Changed registration flow to first send email verification link that when visited sends sms code for second step of account verification. At that second step user enters just sms code sent to users mobile number. Also moved dao calls that simply proxied calls to client to calling client directly. There is still a place where a user will be a sent a code for verification to their email namely if they update email address. 2016-03-17 13:07:52 +00:00
			`except SignatureExpired:`
			`flash('The link in the email we sent you has expired')`
			`return redirect(url_for('main.resend_email_verification'))`