app/main/views/two_factor.py


from flask import (
    render_template,
    redirect,
    session,
    url_for,
    request
)

from flask_login import login_user, current_user
from app.main import main
from app.main.forms import TwoFactorForm
from app import service_api_client
from app import user_api_client


@main.route('/two-factor', methods=['GET', 'POST'])
def two_factor():
    # TODO handle user_email not in session
    try:
        user_id = session['user_details']['id']
    except KeyError:
        return redirect('main.sign_in')

    def _check_code(code):
        return user_api_client.check_verify_code(user_id, code, "sms")

    form = TwoFactorForm(_check_code)

    if form.validate_on_submit():
        try:
            user = user_api_client.get_user(user_id)
            services = service_api_client.get_services({'user_id': str(user_id)}).get('data', [])
            # Check if coming from new password page
            if 'password' in session['user_details']:
                user.set_password(session['user_details']['password'])
                user_api_client.update_user(user)
            login_user(user, remember=True)
        finally:
            del session['user_details']

        next_url = request.args.get('next')
        if next_url and _is_safe_redirect_url(next_url):
            return redirect(next_url)

        if current_user.platform_admin:
            return redirect(url_for('main.show_all_services'))
        if len(services) == 1:
            return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))
        else:
            return redirect(url_for('main.choose_service'))

    return render_template('views/two-factor.html', form=form)


# see http://flask.pocoo.org/snippets/62/
def _is_safe_redirect_url(target):
    from urllib.parse import urlparse, urljoin
    host_url = urlparse(request.host_url)
    redirect_url = urlparse(urljoin(request.host_url, target))
    return redirect_url.scheme in ('http', 'https') and \
        host_url.netloc == redirect_url.netloc
Add debugging to find issue. 2016-01-05 12:35:36 +00:00
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`from flask import (`
Removed remember me checkbox - remember me functionality always applied. 2016-03-07 14:39:20 +00:00			`render_template,`
			`redirect,`
			`session,`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00			`url_for,`
			`request`
Removed remember me checkbox - remember me functionality always applied. 2016-03-07 14:39:20 +00:00			`)`
Merge conflicts with master. 2016-01-05 17:24:13 +00:00
[WIP]: fixing unit tests 2016-03-18 10:49:22 +00:00			`from flask_login import login_user, current_user`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00			`from app.main import main`
			`from app.main.forms import TwoFactorForm`
Merge with master. 2016-03-29 22:50:40 +01:00			`from app import service_api_client`
Merging conflict with two_factor.py Fixed merge mistake with two_factor.py. 2016-03-30 09:58:10 +01:00			`from app import user_api_client`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00

Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`@main.route('/two-factor', methods=['GET', 'POST'])`
			`def two_factor():`
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised. 2016-01-07 12:43:10 +00:00			`# TODO handle user_email not in session`
Remember me functionality added and tested. Merge extra. Fixed comment. 2016-02-23 15:45:19 +00:00			`try:`
			`user_id = session['user_details']['id']`
			`except KeyError:`
			`return redirect('main.sign_in')`
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00
			`def _check_code(code):`
Merging conflict with two_factor.py Fixed merge mistake with two_factor.py. 2016-03-30 09:58:10 +01:00			`return user_api_client.check_verify_code(user_id, code, "sms")`
Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00
			`form = TwoFactorForm(_check_code)`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00
			`if form.validate_on_submit():`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`try:`
Merging conflict with two_factor.py Fixed merge mistake with two_factor.py. 2016-03-30 09:58:10 +01:00			`user = user_api_client.get_user(user_id)`
Merge with master. 2016-03-29 22:50:40 +01:00			`services = service_api_client.get_services({'user_id': str(user_id)}).get('data', [])`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`# Check if coming from new password page`
			`if 'password' in session['user_details']:`
			`user.set_password(session['user_details']['password'])`
Merging conflict with two_factor.py Fixed merge mistake with two_factor.py. 2016-03-30 09:58:10 +01:00			`user_api_client.update_user(user)`
Removed remember me checkbox - remember me functionality always applied. 2016-03-07 14:39:20 +00:00			`login_user(user, remember=True)`
Review comment fixes. 2016-01-28 11:34:15 +00:00			`finally:`
			`del session['user_details']`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00
			`next_url = request.args.get('next')`
			`if next_url and _is_safe_redirect_url(next_url):`
			`return redirect(next_url)`

[WIP]: fixing unit tests 2016-03-18 10:49:22 +00:00			`if current_user.platform_admin:`
			`return redirect(url_for('main.show_all_services'))`
Added a test to check that the password is updated when the password exists in the session object on the two-factor page. 2016-03-08 14:58:29 +00:00			`if len(services) == 1:`
Skip ‘choose service’ page if user has one service We used to do this by redirecting on the choose service page. However when we lost the dropdown and this page also became the page for adding a new service (in 3617f2e936aadbdf71d582e58d88a16629ee5ca2) the redirect was removed. This commit re-adds the redirect on the two factor page, so that it only happens on first login. So the flows are: Multiple services ``` `Sign in` → `Enter two factor code` → `Choose service` → `Service dashboard` ``` One service ``` `Sign in` → `Enter two factor code` → `Service dashboard` ``` No services (you’ve deleted all your services) `Sign in` → `Enter two factor code` → `Choose service` → `Add new service` 2016-02-05 14:25:48 +00:00			`return redirect(url_for('main.service_dashboard', service_id=services[0]['id']))`
			`else:`
			`return redirect(url_for('main.choose_service'))`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00
			`return render_template('views/two-factor.html', form=form)`
The verify view was not passing along the next param to the two factor view. Now if it is passed and it is a url on the same domain that request originates from then it is used. 2016-03-14 16:30:48 +00:00

			`# see http://flask.pocoo.org/snippets/62/`
			`def _is_safe_redirect_url(target):`
			`from urllib.parse import urlparse, urljoin`
			`host_url = urlparse(request.host_url)`
			`redirect_url = urlparse(urljoin(request.host_url, target))`
			`return redirect_url.scheme in ('http', 'https') and \`
			`host_url.netloc == redirect_url.netloc`