app/main/views/two_factor.py


from flask import (
    render_template,
    redirect,
    session,
    url_for,
    request
)

from flask_login import login_user, current_user
from app.main import main
from app.main.dao import users_dao, services_dao
from app.main.forms import TwoFactorForm


@main.route('/two-factor', methods=['GET', 'POST'])
def two_factor():
    # TODO handle user_email not in session
    try:
        user_id = session['user_details']['id']
    except KeyError:
        return redirect('main.sign_in')

    def _check_code(code):
        return users_dao.check_verify_code(user_id, code, "sms")

    form = TwoFactorForm(_check_code)

    if form.validate_on_submit():
        try:
            user = users_dao.get_user_by_id(user_id)
            services = services_dao.get_services(user_id).get('data', [])
            # Check if coming from new password page
            if 'password' in session['user_details']:
                user.set_password(session['user_details']['password'])
                users_dao.update_user(user)
            login_user(user, remember=True)
        finally:
            del session['user_details']

        next_url = request.args.get('next')
        if next_url and _is_safe_redirect_url(next_url):
            return redirect(next_url)

        if current_user.platform_admin:
            return redirect(url_for('main.show_all_services'))
        if len(services) == 1:
            return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))
        else:
            return redirect(url_for('main.choose_service'))

    return render_template('views/two-factor.html', form=form)


# see http://flask.pocoo.org/snippets/62/
def _is_safe_redirect_url(target):
    from urllib.parse import urlparse, urljoin
    host_url = urlparse(request.host_url)
    redirect_url = urlparse(urljoin(request.host_url, target))
    return redirect_url.scheme in ('http', 'https') and \
        host_url.netloc == redirect_url.netloc
Add debugging to find issue. 2016-01-05 12:35:36 +00:00
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`from flask import (`
Removed remember me checkbox - remember me functionality always applied. 2016-03-07 14:39:20 +00:00			`render_template,`
			`redirect,`
			`session,`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00			`url_for,`
			`request`
Removed remember me checkbox - remember me functionality always applied. 2016-03-07 14:39:20 +00:00			`)`
Merge conflicts with master. 2016-01-05 17:24:13 +00:00
[WIP]: fixing unit tests 2016-03-18 10:49:22 +00:00			`from flask_login import login_user, current_user`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00			`from app.main import main`
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: Multiple services ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` One service ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` No services (you’ve deleted all your services) `Sign in` → `Enter two factor code` → `Choose service` → `Add new service` 2016-02-05 14:25:48 +00:00			`from app.main.dao import users_dao, services_dao`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00			`from app.main.forms import TwoFactorForm`


Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`@main.route('/two-factor', methods=['GET', 'POST'])`
			`def two_factor():`
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised. 2016-01-07 12:43:10 +00:00			`# TODO handle user_email not in session`
Remember me functionality added and tested. Merge extra. Fixed comment. 2016-02-23 15:45:19 +00:00			`try:`
			`user_id = session['user_details']['id']`
			`except KeyError:`
			`return redirect('main.sign_in')`
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00
			`def _check_code(code):`
			`return users_dao.check_verify_code(user_id, code, "sms")`

			`form = TwoFactorForm(_check_code)`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00
			`if form.validate_on_submit():`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`try:`
			`user = users_dao.get_user_by_id(user_id)`
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: Multiple services ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` One service ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` No services (you’ve deleted all your services) `Sign in` → `Enter two factor code` → `Choose service` → `Add new service` 2016-02-05 14:25:48 +00:00			`services = services_dao.get_services(user_id).get('data', [])`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`# Check if coming from new password page`
			`if 'password' in session['user_details']:`
			`user.set_password(session['user_details']['password'])`
			`users_dao.update_user(user)`
Removed remember me checkbox - remember me functionality always applied. 2016-03-07 14:39:20 +00:00			`login_user(user, remember=True)`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`finally:`
			`del session['user_details']`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00
			`next_url = request.args.get('next')`
			`if next_url and _is_safe_redirect_url(next_url):`
			`return redirect(next_url)`

[WIP]: fixing unit tests 2016-03-18 10:49:22 +00:00			`if current_user.platform_admin:`
			`return redirect(url_for('main.show_all_services'))`
Added a test to check that the password is updated when the password exists in the session object on the two-factor page. 2016-03-08 14:58:29 +00:00			`if len(services) == 1:`
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: Multiple services ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` One service ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` No services (you’ve deleted all your services) `Sign in` → `Enter two factor code` → `Choose service` → `Add new service` 2016-02-05 14:25:48 +00:00			`return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))`
			`else:`
			`return redirect(url_for('main.choose_service'))`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00
			`return render_template('views/two-factor.html', form=form)`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00

			`# see http://flask.pocoo.org/snippets/62/`
			`def _is_safe_redirect_url(target):`
			`from urllib.parse import urlparse, urljoin`
			`host_url = urlparse(request.host_url)`
			`redirect_url = urlparse(urljoin(request.host_url, target))`
			`return redirect_url.scheme in ('http', 'https') and \`
			`host_url.netloc == redirect_url.netloc`