Better Error Handling

mfa/FIDO2.py

@@ -12,7 +12,7 @@ from django.conf import settings
 from .models import *
 from fido2.utils import websafe_decode,websafe_encode
 from fido2.ctap2 import AttestedCredentialData
-from .views import login
+from .views import login,reset_cookie
 import datetime
 from django.utils import timezone
 
@@ -87,54 +87,60 @@ def authenticate_begin(request):
 
 @csrf_exempt
 def authenticate_complete(request):
-    credentials = []
-    username=request.session.get("base_username",request.user.username)
-    server=getServer()
-    credentials=getUserCredentials(username)
-    data = cbor.decode(request.body)
-    credential_id = data['credentialId']
-    client_data = ClientData(data['clientDataJSON'])
-    auth_data = AuthenticatorData(data['authenticatorData'])
-    signature = data['signature']
     try:
-        cred = server.authenticate_complete(
-            request.session.pop('fido_state'),
-            credentials,
-            credential_id,
-            client_data,
-            auth_data,
-            signature
-        )
-    except ValueError:
-        return HttpResponse(simplejson.dumps({'status': "ERR", "message": "Wrong challenge received, make sure that this is your security and try again."}),
-                            content_type = "application/json")
-    except Exception as excep:
+        credentials = []
+        username=request.session.get("base_username",request.user.username)
+        server=getServer()
+        credentials=getUserCredentials(username)
+        data = cbor.decode(request.body)
+        credential_id = data['credentialId']
+        client_data = ClientData(data['clientDataJSON'])
+        auth_data = AuthenticatorData(data['authenticatorData'])
+        signature = data['signature']
         try:
-            from raven.contrib.django.raven_compat.models import client
-            client.captureException()
-        except:
-            pass
-        return HttpResponse(simplejson.dumps({'status': "ERR",
-                                              "message": "Err: " + excep.message}),
-                            content_type = "application/json")
+            cred = server.authenticate_complete(
+                request.session.pop('fido_state'),
+                credentials,
+                credential_id,
+                client_data,
+                auth_data,
+                signature
+            )
+        except ValueError:
+            return HttpResponse(simplejson.dumps({'status': "ERR", "message": "Wrong challenge received, make sure that this is your security and try again."}),
+                                content_type = "application/json")
+        except Exception as excep:
+            try:
+                from raven.contrib.django.raven_compat.models import client
+                client.captureException()
+            except:
+                pass
+            return HttpResponse(simplejson.dumps({'status': "ERR",
+                                                  "message": excep.message}),
+                                content_type = "application/json")
 
-    if request.session.get("mfa_recheck",False):
-        import time
-        request.session["mfa"]["rechecked_at"]=time.time()
-        return HttpResponse(simplejson.dumps({'status': "OK"}),
-                            content_type="application/json")
-    else:
-        import random
-        keys = User_Keys.objects.filter(username=username, key_type="FIDO2", enabled=1)
-        for k in keys:
-            if AttestedCredentialData(websafe_decode(k.properties["device"])).credential_id == cred.credential_id:
-                k.last_used = timezone.now()
-                k.save()
-                mfa = {"verified": True, "method": "FIDO2",'id':k.id}
-                if getattr(settings, "MFA_RECHECK", False):
-                    mfa["next_check"] = int((datetime.datetime.now()+ datetime.timedelta(
-                    seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))).strftime("%s"))
-                request.session["mfa"] = mfa
-                res=login(request)
-                return HttpResponse(simplejson.dumps({'status':"OK","redirect":res["location"]}),content_type="application/json")
-    return HttpResponse(simplejson.dumps({'status': "ERR","message":"Unknown error happened"}),content_type="application/json")
+        if request.session.get("mfa_recheck",False):
+            import time
+            request.session["mfa"]["rechecked_at"]=time.time()
+            return HttpResponse(simplejson.dumps({'status': "OK"}),
+                                content_type="application/json")
+        else:
+            import random
+            keys = User_Keys.objects.filter(username=username, key_type="FIDO2", enabled=1)
+            for k in keys:
+                if AttestedCredentialData(websafe_decode(k.properties["device"])).credential_id == cred.credential_id:
+                    k.last_used = timezone.now()
+                    k.save()
+                    mfa = {"verified": True, "method": "FIDO2",'id':k.id}
+                    if getattr(settings, "MFA_RECHECK", False):
+                        mfa["next_check"] = int((datetime.datetime.now()+ datetime.timedelta(
+                        seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))).strftime("%s"))
+                    request.session["mfa"] = mfa
+                    if not request.user.is_authenticated():
+                        res=login(request)
+                        if not "location" in res: return reset_cookie(request)
+                        return HttpResponse(simplejson.dumps({'status':"OK","redirect":res["location"]}),content_type="application/json")
+                    return HttpResponse(simplejson.dumps({'status': "OK"}),
+                                        content_type = "application/json")
+    except Exception as exp:
+        return HttpResponse(simplejson.dumps({'status': "ERR","message":exp.message}),content_type="application/json")

mfa/templates/FIDO2/recheck.html

@@ -82,7 +82,7 @@
           }
           else {
               $("#msgdiv").addClass("alert alert-danger").removeClass("alert-success")
-                $("#res").html("<div class='alert alert-danger'>Verification Failed as " + res["message"] + ", <a href='javascript:void(0)' onclick='authen())'> try again or <a href='javascript:void(0)' onclick='history.back()'> Go Back</a></div>")
+                $("#msgdiv").html("Verification Failed as " + res.message + ", <a href='javascript:void(0)' onclick='authen())'> try again</a> or <a href='javascript:void(0)' onclick='history.back()'> Go Back</a>")
 
               {%  if mode == "auth" %}
 

mfa/urls.py

@@ -27,10 +27,7 @@ urlpatterns = [
     url(r'fido2/complete_auth', FIDO2.authenticate_complete, name="fido2_complete_auth"),
     url(r'fido2/begin_reg', FIDO2.begin_registeration, name="fido2_begin_reg"),
     url(r'fido2/complete_reg', FIDO2.complete_reg, name="fido2_complete_reg"),
-    url(r'u2f/bind', U2F.bind, name="bind_u2f"),
-    url(r'u2f/auth', U2F.auth, name="u2f_auth"),
-    url(r'u2f/process_recheck', U2F.process_recheck, name="u2f_recheck"),
-    url(r'u2f/verify', U2F.verify, name="u2f_verify"),
+    url(r'fido2/recheck', FIDO2.recheck, name="fido2_recheck"),
 
 
     url(r'td/$', TrustedDevice.start, name="start_td"),

setup.py

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 
 setup(
     name='django-mfa2',
-    version='1.7.5',
+    version='1.7.11',
     description='Allows user to add 2FA to their accounts',
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",