Fixes and applied comments

mfa/recovery.py

@@ -2,7 +2,7 @@ from django.shortcuts import render
 from django.views.decorators.cache import never_cache
 from django.template.context_processors import csrf
 from django.contrib.auth.hashers import make_password, PBKDF2PasswordHasher
-from django.http import HttpResponse,FileResponse,HttpResponseNotFound
+from django.http import HttpResponse,HttpResponseNotFound
 from .Common import get_redirect_url
 from .models import *
 import simplejson
@@ -42,28 +42,25 @@ def genTokens(request):
     uk.username = request.user.username
     uk.properties={"secret_keys":hashedKeys, "salt":salt}
     uk.key_type="RECOVERY"
-    uk.enabled = False
+    uk.enabled = True
     uk.save()
-    request.session["recovery_keys"]=clearKeys
     return HttpResponse(simplejson.dumps({"keys":clearKeys}))
 
-def download_codes(request):
-    if not "recovery_keys" in request.session:
-        return HttpResponseNotFound("This page isn't valid anymore.")
-    response = HttpResponse('\n'.join(request.session["recovery_keys"]),content_type='text/text')
-    response['Content-Disposition'] = 'attachment; filename = Recovery Codes.txt'
-    return response
 
-def verify_login(request, username,token):
-    key =  User_Keys.objects.filter(username=username, key_type = "RECOVERY")
-    secret_keys = key.properties["secret_keys"]
-    salt = key.properties["salt"]
-    hashedToken = make_password(token, salt, "pbkdf2_sha256_custom")
-    if hashedToken == secret_keys[0]:
-        secret_keys.pop(0)
-        key.properties["secret_keys"] = secret_keys
-        key.save()
-        return [True, key.id, len(secret_keys) == 0]
+def verify_login(request, username, token):
+    for key in User_Keys.objects.filter(username=username, key_type = "RECOVERY"):
+        secret_keys = key.properties["secret_keys"]
+        salt = key.properties["salt"]
+        hashedToken = make_password(token, salt, "pbkdf2_sha256_custom")
+        for i in range(len(secret_keys)):
+            if hashedToken == secret_keys[i]:
+                secret_keys.pop(i)
+                key.properties["secret_keys"] = secret_keys
+                key.save()
+                return [True, key.id, len(secret_keys) == 0]
+        if len(secret_keys) == 0:
+            #Show a message ?
+            return [False]
     return [False]
 
 def getTokenLeft(request):
@@ -73,15 +70,27 @@ def getTokenLeft(request):
         keyLeft += len(key.properties["secret_keys"])
     return HttpResponse(simplejson.dumps({"left":keyLeft}))
 
+def recheck(request):
+    context = csrf(request)
+    context["mode"]="recheck"
+    if request.method == "POST":
+        if verify_login(request,request.user.username, token=request.POST["recovery"])[0]:
+            import time
+            request.session["mfa"]["rechecked_at"] = time.time()
+            return HttpResponse(simplejson.dumps({"recheck": True}), content_type="application/json")
+        else:
+            return HttpResponse(simplejson.dumps({"recheck": False}), content_type="application/json")
+    return render(request,"RECOVERY/recheck.html", context)
+
 @never_cache
 def auth(request):
     from .views import login
     context=csrf(request)
     if request.method=="POST":
-        tokenLength = len(request.POST["otp"])
+        tokenLength = len(request.POST["recovery"])
         if tokenLength == 11 and "RECOVERY" not in settings.MFA_UNALLOWED_METHODS:
             #Backup code check
-            resBackup=verify_login(request, request.session["base_username"], token=request.POST["otp"])
+            resBackup=verify_login(request, request.session["base_username"], token=request.POST["recovery"])
             if resBackup[0]:
                 mfa = {"verified": True, "method": "RECOVERY","id":resBackup[1], "lastBackup":resBackup[2]}
                 if getattr(settings, "MFA_RECHECK", False):
@@ -92,15 +101,16 @@ def auth(request):
                 if resBackup[2]:
                     #If the last bakup code has just been used, we return a response insead of redirecting to login
                     context["lastBackup"] = True
-                    return render(request,"TOTP/Auth.html", context)                
+                    return render(request,"RECOVERY/Auth.html", context)                
                 return login(request)
+        context["invalid"]=True
+
     elif request.method=="GET":
-        mfa = request.session["mfa"]
+        mfa = request.session.get("mfa")
         if mfa and mfa["verified"] and mfa["lastBackup"]:
             return login(request)
 
-    context["invalid"]=True
-    return render(request,"TOTP/Auth.html", context)
+    return render(request,"RECOVERY/Auth.html", context)
 
 @never_cache
 def start(request):