Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised.

2026-02-05 10:53:28 -05:00 · 2016-01-07 12:43:10 +00:00
parent 10c2978f85
commit 7001d8261d
17 changed files with 162 additions and 119 deletions
--- a/app/main/validators.py
+++ b/app/main/validators.py
@@ -1,4 +1,6 @@
 from wtforms import ValidationError
+from datetime import datetime
+from app.main.encryption import check_hash


 class Blacklist(object):
@@ -10,3 +12,29 @@ class Blacklist(object):
    def __call__(self, form, field):
        if field.data in ['password1234', 'passw0rd1234']:
            raise ValidationError(self.message)
+
+
+class ValidateUserCodes(object):
+    def __init__(self,
+                 expiry_msg='Code has expired',
+                 invalid_msg='Code does not match',
+                 code_type=None):
+        self.expiry_msg = expiry_msg
+        self.invalid_msg = invalid_msg
+        self.code_type = code_type
+
+    def __call__(self, form, field):
+        # TODO would be great to do this sql query but
+        # not couple those parts of the code.
+        user_codes = getattr(form, 'user_codes', [])
+        valid_code = False
+        for code in user_codes:
+            if check_hash(field.data, code.code) and self.code_type == code.code_type:
+                if code.expiry_datetime <= datetime.now():
+                    raise ValidationError(self.expiry_msg)
+                else:
+                    # Valid code
+                    valid_code = True
+                    break
+        if not valid_code:
+            raise ValidationError(self.invalid_msg)