109638656: Implement two factor verify flow

When user enters valid sms code they are redirected to the dashboard. Otherwise, form errors are present.
2026-02-06 03:13:42 -05:00 · 2015-12-08 12:36:54 +00:00
parent c946f85f9d
commit 2e59870490
6 changed files with 63 additions and 17 deletions
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -44,6 +44,14 @@ class RegisterUserForm(Form):
 class TwoFactorForm(Form):
    sms_code = IntegerField('sms code', validators=[DataRequired(message='Please enter your code')])

+    def validate_sms_code(self, a):
+        if self.sms_code.data is not None:
+            if checkpw(str(self.sms_code.data), session['sms_code']) is False:
+                self.sms_code.errors.append('Code does not match')
+                return False
+        else:
+            return True
+

 class VerifyForm(Form):
    sms_code = StringField("Text message confirmation code",
--- a/app/main/views/init.py
+++ b/app/main/views/init.py
@@ -27,4 +27,4 @@ def send_email_code(email):
    except:
        raise AdminApiClientException('Exception when sending email.')

-    return email_code
+    return email_code
--- a/app/main/views/register.py
+++ b/app/main/views/register.py
@@ -43,6 +43,3 @@ def process_register():
    else:
        return jsonify(form.errors), 400
    return redirect('/verify')
-
-
-
--- a/app/main/views/two_factor.py
+++ b/app/main/views/two_factor.py
@@ -1,7 +1,8 @@
-from flask import render_template, redirect, jsonify
+from flask import render_template, redirect, jsonify, session
 from flask_login import login_user

 from app.main import main
+from app.main.dao import users_dao
 from app.main.forms import TwoFactorForm


@@ -15,6 +16,8 @@ def process_two_factor():
    form = TwoFactorForm()

    if form.validate_on_submit():
+
+        user = users_dao.get_user_by_id(session['user_id'])
        login_user(user)
        return redirect('/dashboard')
    else:
--- a/app/templates/two-factor.html
+++ b/app/templates/two-factor.html
@@ -12,15 +12,18 @@ GOV.UK Notify | Text verification

 		<p>We've sent you a text message with a verification code.</p>

-  		<p>
-  		<label class="form-label" for="email">Enter verification code<br>
-  		<input class="form-control-1-4" id="email" type="text"><br>
-  		<span class="font-xsmall"><a href="verification-not-received">I haven't received a text</a></span>
-  		</p>

-  		<p>
-  		<a class="button" href="dashboard" role="button">Continue</a>
-  		</p>
+		<form autocomplete="off" action="" method="post">
+			{{ form.hidden_tag() }}
+  			<p>
+				<label class="form-label">Enter verification code</label><br>
+				{{ form.sms_code(class="form-control-1-4", autocomplete="off") }} <br>
+				<span class="font-xsmall"><a href="verification-not-received">I haven't received a text</a></span>
+  			</p>
+  			<p>
+  			<button class="button" href="dashboard" role="button">Continue</button>
+  			</p>
+		</form>
 	</div>
 </div>

--- a/tests/app/main/views/test_two_factor.py
+++ b/tests/app/main/views/test_two_factor.py
@@ -1,3 +1,8 @@
+from datetime import datetime
+
+from app.main.dao import users_dao
+from app.main.encryption import hashpw
+from app.models import User


 def test_should_render_two_factor_page(notifications_admin, notifications_admin_db):
@@ -7,8 +12,38 @@ def test_should_render_two_factor_page(notifications_admin, notifications_admin_


 def test_should_login_user_and_redirect_to_dashboard(notifications_admin, notifications_admin_db):
-    response = notifications_admin.test_client().post('/two-factor',
-                                                      data={'sms_code': '12345'})
+    with notifications_admin.test_client() as client:
+        with client.session_transaction() as session:
+            user = _create_test_user()
+            session['user_id'] = user.id
+            session['sms_code'] = hashpw('12345')
+        response = client.post('/two-factor',
+                               data={'sms_code': '12345'})

-    assert response.status_code == 302
-    assert response.location == 'http://localhost/dashboard'
+        assert response.status_code == 302
+        assert response.location == 'http://localhost/dashboard'
+
+
+def test_should_return_400_with_sms_code_error_when_sms_code_is_wrong(notifications_admin, notifications_admin_db):
+    with notifications_admin.test_client() as client:
+        with client.session_transaction() as session:
+            user = _create_test_user()
+            session['user_id'] = user.id
+            session['sms_code'] = hashpw('12345')
+        response = client.post('/two-factor',
+                               data={'sms_code': '23456'})
+        assert response.status_code == 400
+        assert 'sms_code' in response.get_data(as_text=True)
+        assert 'Code does not match' in response.get_data(as_text=True)
+
+
+def _create_test_user():
+    user = User(name='Test User',
+                password='somepassword',
+                email_address='test@user.gov.uk',
+                mobile_number='+441234123412',
+                created_at=datetime.now(),
+                role_id=1,
+                state='pending')
+    users_dao.insert_user(user)
+    return user