app/main/views/two_factor.py

import json

from flask import current_app, redirect, render_template, request, session, url_for
from flask_login import current_user
from itsdangerous import SignatureExpired

from app import user_api_client
from app.main import main
from app.main.forms import TwoFactorForm
from app.models.user import User
from app.utils.login import (
    email_needs_revalidating,
    log_in_user,
    redirect_to_sign_in,
    redirect_when_logged_in,
)
from notifications_utils.url_safe_token import check_token


@main.route("/two-factor-email-sent", methods=["GET"])
def two_factor_email_sent():
    title = "Email resent" if request.args.get("email_resent") else "Check your email"
    return render_template(
        "views/two-factor-email.html",
        title=title,
        redirect_url=request.args.get("next"),
    )


@main.route("/email-auth/<token>", methods=["GET"])
def two_factor_email_interstitial(token):
    return render_template("views/email-link-interstitial.html")


@main.route("/email-auth/<token>", methods=["POST"])
def two_factor_email(token):
    redirect_url = request.args.get("next")
    if current_user.is_authenticated:
        return redirect_when_logged_in(platform_admin=current_user.platform_admin)

    # checks url is valid, and hasn't timed out
    try:
        token_data = json.loads(
            check_token(
                token,
                current_app.config["SECRET_KEY"],
                current_app.config["DANGEROUS_SALT"],
                current_app.config["EMAIL_EXPIRY_SECONDS"],
            )
        )
    except SignatureExpired:
        return render_template(
            "views/email-link-invalid.html", redirect_url=redirect_url
        )

    user_id = token_data["user_id"]
    # checks if code was already used
    logged_in, msg = user_api_client.check_verify_code(
        user_id, token_data["secret_code"], "email"
    )

    if not logged_in:
        return render_template(
            "views/email-link-invalid.html", redirect_url=redirect_url
        )
    return log_in_user(user_id)


@main.route("/two-factor-sms", methods=["GET", "POST"])
@redirect_to_sign_in
def two_factor_sms():
    user_id = session["user_details"]["id"]
    user = User.from_id(user_id)

    def _check_code(code):
        return user_api_client.check_verify_code(user_id, code, "sms")

    form = TwoFactorForm(_check_code)
    redirect_url = request.args.get("next")

    if form.validate_on_submit():
        if email_needs_revalidating(user):
            user_api_client.send_verify_code(user.id, "email", None, redirect_url)
            return redirect(url_for(".revalidate_email_sent", next=redirect_url))
        else:
            return log_in_user(user_id)

    return render_template(
        "views/two-factor-sms.html", form=form, redirect_url=redirect_url
    )


@main.route("/re-validate-email", methods=["GET"])
def revalidate_email_sent():
    title = "Email resent" if request.args.get("email_resent") else "Check your email"
    redirect_url = request.args.get("next")
    return render_template(
        "views/re-validate-email-sent.html", title=title, redirect_url=redirect_url
    )
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`import json`
Enforce order and style of imports Done using isort[1], with the following command: ``` isort -rc ./app ./tests ``` Adds linting to the `run_tests.sh` script to stop badly-sorted imports getting re-introduced. Chosen style is ‘Vertical Hanging Indent’ with trailing commas, because I think it gives the cleanest diffs, eg: ``` from third_party import ( lib1, lib2, lib3, lib4, ) ``` 1. https://pypi.python.org/pypi/isort 2018-02-20 11:22:17 +00:00
merge from main 2023-08-25 08:57:24 -07:00			`from flask import current_app, redirect, render_template, request, session, url_for`
Make user API client return JSON, not a model The data flow of other bits of our application looks like this: ``` API (returns JSON) ⬇ API client (returns a built in type, usually `dict`) ⬇ Model (returns an instance, eg of type `Service`) ⬇ View (returns HTML) ``` The user API client was architected weirdly, in that it returned a model directly, like this: ``` API (returns JSON) ⬇ API client (returns a model, of type `User`, `InvitedUser`, etc) ⬇ View (returns HTML) ``` This mixing of different layers of the application is bad because it makes it hard to write model code that doesn’t have circular dependencies. As our application gets more complicated we will be relying more on models to manage this complexity, so we should make it easy, not hard to write them. It also means that most of our mocking was of the User model, not just the underlying JSON. So it would have been easy to introduce subtle bugs to the user model, because it wasn’t being comprehensively tested. A lot of the changed lines of code in this commit mean changing the tests to mock only the JSON, which means that the model layer gets implicitly tested. For those reasons this commit changes the user API client to return JSON, not an instance of `User` or other models. 2019-05-23 15:27:35 +01:00			`from flask_login import current_user`
Enforce order and style of imports Done using isort[1], with the following command: ``` isort -rc ./app ./tests ``` Adds linting to the `run_tests.sh` script to stop badly-sorted imports getting re-introduced. Chosen style is ‘Vertical Hanging Indent’ with trailing commas, because I think it gives the cleanest diffs, eg: ``` from third_party import ( lib1, lib2, lib3, lib4, ) ``` 1. https://pypi.python.org/pypi/isort 2018-02-20 11:22:17 +00:00			`from itsdangerous import SignatureExpired`

redirect to show_accounts_or_dashboard on login show_accounts_or_dashboard has logic about where you should redirect to. If we let it do this, then that's nicer than duplicating its logic. We found that it wasn't accounting for orgs in redirects properly. 2018-03-19 16:38:57 +00:00			`from app import user_api_client`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00			`from app.main import main`
			`from app.main.forms import TwoFactorForm`
Make user API client return JSON, not a model The data flow of other bits of our application looks like this: ``` API (returns JSON) ⬇ API client (returns a built in type, usually `dict`) ⬇ Model (returns an instance, eg of type `Service`) ⬇ View (returns HTML) ``` The user API client was architected weirdly, in that it returned a model directly, like this: ``` API (returns JSON) ⬇ API client (returns a model, of type `User`, `InvitedUser`, etc) ⬇ View (returns HTML) ``` This mixing of different layers of the application is bad because it makes it hard to write model code that doesn’t have circular dependencies. As our application gets more complicated we will be relying more on models to manage this complexity, so we should make it easy, not hard to write them. It also means that most of our mocking was of the User model, not just the underlying JSON. So it would have been easy to introduce subtle bugs to the user model, because it wasn’t being comprehensively tested. A lot of the changed lines of code in this commit mean changing the tests to mock only the JSON, which means that the model layer gets implicitly tested. For those reasons this commit changes the user API client to return JSON, not an instance of `User` or other models. 2019-05-23 15:27:35 +01:00			`from app.models.user import User`
Extract login utils out of two_factor view This better reflects how the code is reused in other views and is not specific to two factor actions. We have a pattern of testing utility functionality for each view (as opposed to testing the util + the view calls the util), so I'm leaving the tests as-is. 2021-06-14 11:15:57 +01:00			`from app.utils.login import (`
DRY-up email revalidation check Previously this was duplicated between the "two_factor" and the "webauthn" views, and required more test setup. This DRYs up the check and tests it once, using mocks to simplify the view tests. As part of DRYing up the check into a util module, I've also moved the "is_less_than_days_ago" function it uses. 2021-06-14 12:40:12 +01:00			`email_needs_revalidating,`
Extract login utils out of two_factor view This better reflects how the code is reused in other views and is not specific to two factor actions. We have a pattern of testing utility functionality for each view (as opposed to testing the util + the view calls the util), so I'm leaving the tests as-is. 2021-06-14 11:15:57 +01:00			`log_in_user,`
			`redirect_to_sign_in,`
			`redirect_when_logged_in,`
			`)`
Localize notification_utils to the admin This changeset pulls in all of the notification_utils code directly into the admin and removes it as an external dependency. We are doing this to cut down on operational maintenance of the project and will begin removing parts of it no longer needed for the admin. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov> 2024-05-16 10:37:37 -04:00			`from notifications_utils.url_safe_token import check_token`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00

notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`@main.route("/two-factor-email-sent", methods=["GET"])`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`def two_factor_email_sent():`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`title = "Email resent" if request.args.get("email_resent") else "Check your email"`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`return render_template(`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`"views/two-factor-email.html",`
Turn on redirects for two_factor_email_sent This is part of the work to make sure user is redirected to the page they initially were meant to visit after they sign in. 2020-10-09 11:41:24 +01:00			`title=title,`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`redirect_url=request.args.get("next"),`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`)`


notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`@main.route("/email-auth/<token>", methods=["GET"])`
Add interstitial page before using email auth token Some email clients will pre-fetch links in emails to check whether they’re safe. This has the unfortunate side effect of claiming the token that’s in the link. Long term, we don’t want to let the link be used multiple times, because this reduces how secure it is (eg someone with access to your browser history could re-use the link even if you’d signed out). Instead, this commit adds an extra page which is served when the user clicks the link from the email. This page includes a form which submits to the actual URL that uses the token, thereby not claiming the token as soon as the page is loaded. For convenience, this page also includes some Javascript which clicks the link on the user’s behalf. If the user has Javascript turned off they will see the link and can click it themselves. This is going on the assumption that whatever the email clients are doing when prefetching the link doesn’t involve running any Javascript. This Javascript is inlined so that: - it is run as fast as possible - it’s more resilient – even if our assets domain is unreachable or the connection is interrupted, it will still run 2020-05-04 12:27:51 +01:00			`def two_factor_email_interstitial(token):`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`return render_template("views/email-link-interstitial.html")`
Add interstitial page before using email auth token Some email clients will pre-fetch links in emails to check whether they’re safe. This has the unfortunate side effect of claiming the token that’s in the link. Long term, we don’t want to let the link be used multiple times, because this reduces how secure it is (eg someone with access to your browser history could re-use the link even if you’d signed out). Instead, this commit adds an extra page which is served when the user clicks the link from the email. This page includes a form which submits to the actual URL that uses the token, thereby not claiming the token as soon as the page is loaded. For convenience, this page also includes some Javascript which clicks the link on the user’s behalf. If the user has Javascript turned off they will see the link and can click it themselves. This is going on the assumption that whatever the email clients are doing when prefetching the link doesn’t involve running any Javascript. This Javascript is inlined so that: - it is run as fast as possible - it’s more resilient – even if our assets domain is unreachable or the connection is interrupted, it will still run 2020-05-04 12:27:51 +01:00

notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`@main.route("/email-auth/<token>", methods=["POST"])`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`def two_factor_email(token):`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`redirect_url = request.args.get("next")`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`if current_user.is_authenticated:`
Make user API client return JSON, not a model The data flow of other bits of our application looks like this: ``` API (returns JSON) ⬇ API client (returns a built in type, usually `dict`) ⬇ Model (returns an instance, eg of type `Service`) ⬇ View (returns HTML) ``` The user API client was architected weirdly, in that it returned a model directly, like this: ``` API (returns JSON) ⬇ API client (returns a model, of type `User`, `InvitedUser`, etc) ⬇ View (returns HTML) ``` This mixing of different layers of the application is bad because it makes it hard to write model code that doesn’t have circular dependencies. As our application gets more complicated we will be relying more on models to manage this complexity, so we should make it easy, not hard to write them. It also means that most of our mocking was of the User model, not just the underlying JSON. So it would have been easy to introduce subtle bugs to the user model, because it wasn’t being comprehensively tested. A lot of the changed lines of code in this commit mean changing the tests to mock only the JSON, which means that the model layer gets implicitly tested. For those reasons this commit changes the user API client to return JSON, not an instance of `User` or other models. 2019-05-23 15:27:35 +01:00			`return redirect_when_logged_in(platform_admin=current_user.platform_admin)`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00
			`# checks url is valid, and hasn't timed out`
			`try:`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`token_data = json.loads(`
			`check_token(`
			`token,`
			`current_app.config["SECRET_KEY"],`
			`current_app.config["DANGEROUS_SALT"],`
			`current_app.config["EMAIL_EXPIRY_SECONDS"],`
			`)`
			`)`
bump reqs 2018-11-13 10:49:35 +00:00			`except SignatureExpired:`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`return render_template(`
			`"views/email-link-invalid.html", redirect_url=redirect_url`
			`)`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`user_id = token_data["user_id"]`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`# checks if code was already used`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`logged_in, msg = user_api_client.check_verify_code(`
			`user_id, token_data["secret_code"], "email"`
			`)`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00
			`if not logged_in:`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`return render_template(`
			`"views/email-link-invalid.html", redirect_url=redirect_url`
			`)`
alter login flow to allow for email auth login 2017-11-07 16:11:31 +00:00			`return log_in_user(user_id)`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00

notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`@main.route("/two-factor-sms", methods=["GET", "POST"])`
when not logged in, redirect to sign-in parts of the initial setup/login stages were throwing 500s if user not already in process (ie: user directly navigated to url): * /resend-email-verification * /text-not-received * /send-new-code * verify 2016-06-17 11:36:30 +01:00			`@redirect_to_sign_in`
rename two_factor to two_factor_sms it's a bit confusing now that there are three endpoints. the other two are already renamed two_factor_email and two_factor_webauthn 2021-05-14 19:15:12 +01:00			`def two_factor_sms():`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`user_id = session["user_details"]["id"]`
Send 2fa email and move user to waiting page when they need to re-validate email access 2020-01-27 18:10:45 +00:00			`user = User.from_id(user_id)`
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00
			`def _check_code(code):`
Merging conflict with two_factor.py Fixed merge mistake with two_factor.py. 2016-03-30 09:58:10 +01:00			`return user_api_client.check_verify_code(user_id, code, "sms")`
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00
			`form = TwoFactorForm(_check_code)`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`redirect_url = request.args.get("next")`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00
			`if form.validate_on_submit():`
DRY-up email revalidation check Previously this was duplicated between the "two_factor" and the "webauthn" views, and required more test setup. This DRYs up the check and tests it once, using mocks to simplify the view tests. As part of DRYing up the check into a util module, I've also moved the "is_less_than_days_ago" function it uses. 2021-06-14 12:40:12 +01:00			`if email_needs_revalidating(user):`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`user_api_client.send_verify_code(user.id, "email", None, redirect_url)`
			`return redirect(url_for(".revalidate_email_sent", next=redirect_url))`
DRY-up email revalidation check Previously this was duplicated between the "two_factor" and the "webauthn" views, and required more test setup. This DRYs up the check and tests it once, using mocks to simplify the view tests. As part of DRYing up the check into a util module, I've also moved the "is_less_than_days_ago" function it uses. 2021-06-14 12:40:12 +01:00			`else:`
			`return log_in_user(user_id)`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`return render_template(`
			`"views/two-factor-sms.html", form=form, redirect_url=redirect_url`
			`)`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00

notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`@main.route("/re-validate-email", methods=["GET"])`
Send 2fa email and move user to waiting page when they need to re-validate email access 2020-01-27 18:10:45 +00:00			`def revalidate_email_sent():`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`title = "Email resent" if request.args.get("email_resent") else "Check your email"`
			`redirect_url = request.args.get("next")`
			`return render_template(`
			`"views/re-validate-email-sent.html", title=title, redirect_url=redirect_url`
			`)`