From 2e59870490a3ccc87ce2b9f8a32c01ca4607bf9c Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Tue, 8 Dec 2015 12:36:54 +0000 Subject: [PATCH] 109638656: Implement two factor verify flow When user enters valid sms code they are redirected to the dashboard. Otherwise, form errors are present. --- app/main/forms.py | 8 +++++ app/main/views/__init__.py | 2 +- app/main/views/register.py | 3 -- app/main/views/two_factor.py | 5 ++- app/templates/two-factor.html | 19 ++++++----- tests/app/main/views/test_two_factor.py | 43 ++++++++++++++++++++++--- 6 files changed, 63 insertions(+), 17 deletions(-) diff --git a/app/main/forms.py b/app/main/forms.py index 1dc7b4bed..5131b6696 100644 --- a/app/main/forms.py +++ b/app/main/forms.py @@ -44,6 +44,14 @@ class RegisterUserForm(Form): class TwoFactorForm(Form): sms_code = IntegerField('sms code', validators=[DataRequired(message='Please enter your code')]) + def validate_sms_code(self, a): + if self.sms_code.data is not None: + if checkpw(str(self.sms_code.data), session['sms_code']) is False: + self.sms_code.errors.append('Code does not match') + return False + else: + return True + class VerifyForm(Form): sms_code = StringField("Text message confirmation code", diff --git a/app/main/views/__init__.py b/app/main/views/__init__.py index 0b8514dda..11bc7331b 100644 --- a/app/main/views/__init__.py +++ b/app/main/views/__init__.py @@ -27,4 +27,4 @@ def send_email_code(email): except: raise AdminApiClientException('Exception when sending email.') - return email_code \ No newline at end of file + return email_code diff --git a/app/main/views/register.py b/app/main/views/register.py index c684e018c..cde44b1c5 100644 --- a/app/main/views/register.py +++ b/app/main/views/register.py @@ -43,6 +43,3 @@ def process_register(): else: return jsonify(form.errors), 400 return redirect('/verify') - - - diff --git a/app/main/views/two_factor.py b/app/main/views/two_factor.py index f96de1661..cbcedbfb1 100644 --- a/app/main/views/two_factor.py +++ b/app/main/views/two_factor.py @@ -1,7 +1,8 @@ -from flask import render_template, redirect, jsonify +from flask import render_template, redirect, jsonify, session from flask_login import login_user from app.main import main +from app.main.dao import users_dao from app.main.forms import TwoFactorForm @@ -15,6 +16,8 @@ def process_two_factor(): form = TwoFactorForm() if form.validate_on_submit(): + + user = users_dao.get_user_by_id(session['user_id']) login_user(user) return redirect('/dashboard') else: diff --git a/app/templates/two-factor.html b/app/templates/two-factor.html index 9f23831af..8e3274706 100644 --- a/app/templates/two-factor.html +++ b/app/templates/two-factor.html @@ -12,15 +12,18 @@ GOV.UK Notify | Text verification

We've sent you a text message with a verification code.

-

-

-

- Continue -

+
+ {{ form.hidden_tag() }} +

+
+ {{ form.sms_code(class="form-control-1-4", autocomplete="off") }}
+ I haven't received a text +

+

+ +

+
diff --git a/tests/app/main/views/test_two_factor.py b/tests/app/main/views/test_two_factor.py index bc99d4c9e..4e976d63d 100644 --- a/tests/app/main/views/test_two_factor.py +++ b/tests/app/main/views/test_two_factor.py @@ -1,3 +1,8 @@ +from datetime import datetime + +from app.main.dao import users_dao +from app.main.encryption import hashpw +from app.models import User def test_should_render_two_factor_page(notifications_admin, notifications_admin_db): @@ -7,8 +12,38 @@ def test_should_render_two_factor_page(notifications_admin, notifications_admin_ def test_should_login_user_and_redirect_to_dashboard(notifications_admin, notifications_admin_db): - response = notifications_admin.test_client().post('/two-factor', - data={'sms_code': '12345'}) + with notifications_admin.test_client() as client: + with client.session_transaction() as session: + user = _create_test_user() + session['user_id'] = user.id + session['sms_code'] = hashpw('12345') + response = client.post('/two-factor', + data={'sms_code': '12345'}) - assert response.status_code == 302 - assert response.location == 'http://localhost/dashboard' + assert response.status_code == 302 + assert response.location == 'http://localhost/dashboard' + + +def test_should_return_400_with_sms_code_error_when_sms_code_is_wrong(notifications_admin, notifications_admin_db): + with notifications_admin.test_client() as client: + with client.session_transaction() as session: + user = _create_test_user() + session['user_id'] = user.id + session['sms_code'] = hashpw('12345') + response = client.post('/two-factor', + data={'sms_code': '23456'}) + assert response.status_code == 400 + assert 'sms_code' in response.get_data(as_text=True) + assert 'Code does not match' in response.get_data(as_text=True) + + +def _create_test_user(): + user = User(name='Test User', + password='somepassword', + email_address='test@user.gov.uk', + mobile_number='+441234123412', + created_at=datetime.now(), + role_id=1, + state='pending') + users_dao.insert_user(user) + return user