Use only one key/user for backup codes, better UX, handle recovery mode deactivation

2022-08-20 20:07:36 +02:00
parent 3ac893ad50
commit 98e9df8a23
5 changed files with 67 additions and 48 deletions
--- a/mfa/totp.py
+++ b/mfa/totp.py
@@ -41,24 +41,29 @@ def recheck(request):
 def auth(request):
    context=csrf(request)
    if request.method=="POST":
-        res=verify_login(request,request.session["base_username"],token = request.POST["otp"])
-        resBackup=recovery.verify_login(request.session["base_username"], token=request.POST["otp"])
-        if res[0]:
-            mfa = {"verified": True, "method": "TOTP","id":res[1]}
-            if getattr(settings, "MFA_RECHECK", False):
-                mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now()
-                                         + datetime.timedelta(
-                            seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
-            request.session["mfa"] = mfa
-            return login(request)      
-        elif resBackup[0]:
-            mfa = {"verified": True, "method": "TOTP","id":resBackup[1], "newRecoveryGen":resBackup[2]}
-            if getattr(settings, "MFA_RECHECK", False):
-                mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now()
-                                         + datetime.timedelta(
-                            seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
-            request.session["mfa"] = mfa
-            return login(request)
+        tokenLength = len(request.POST["otp"])
+        if tokenLength == 6:
+            #TOTO code check
+            res=verify_login(request,request.session["base_username"],token = request.POST["otp"])
+            if res[0]:
+                mfa = {"verified": True, "method": "TOTP","id":res[1]}
+                if getattr(settings, "MFA_RECHECK", False):
+                    mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now()
+                                            + datetime.timedelta(
+                                seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
+                request.session["mfa"] = mfa
+                return login(request)
+        elif tokenLength == 10 and "RECOVERY" not in settings.MFA_UNALLOWED_METHODS:
+            #Backup code check
+            resBackup=recovery.verify_login(request.session["base_username"], token=request.POST["otp"])
+            if resBackup[0]:
+                mfa = {"verified": True, "method": "RECOVERY","id":resBackup[1]}
+                if getattr(settings, "MFA_RECHECK", False):
+                    mfa["next_check"] = datetime.datetime.timestamp((datetime.datetime.now()
+                                            + datetime.timedelta(
+                                seconds=random.randint(settings.MFA_RECHECK_MIN, settings.MFA_RECHECK_MAX))))
+                request.session["mfa"] = mfa
+                return login(request)
        context["invalid"]=True
    return render(request,"TOTP/Auth.html", context)