From fe06e4a34df171aee952b8219814b46ae6762559 Mon Sep 17 00:00:00 2001
From: Spitap <dev@asdrip.fr>
Date: Tue, 23 Aug 2022 09:52:06 +0200
Subject: [PATCH] Fixed token gen bug, simplify session validation

---
 mfa/recovery.py | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/mfa/recovery.py b/mfa/recovery.py
index d4b4351..46d60a3 100644
--- a/mfa/recovery.py
+++ b/mfa/recovery.py
@@ -9,9 +9,6 @@ import random
 import string
 import datetime
 
-#TODO : 
-# - Show authtificator panel on login everytime if RECOVERY is not deactivated
-# - Generation abuse checks
 
 def token_left(request, username=None):
     if not username and request:
@@ -32,17 +29,8 @@ def delTokens(request):
         if key.username == request.user.username:
             key.delete()
 
-def newTokens(username):
-    # Separated from genTokens to be able to regenerate codes after login if last code has been used
-    newKeys = []
-    for i in range(5):
-            token = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(10))
-            newKeys.append(token)
-    uk=User_Keys()
-    uk.username=username
-    uk.properties={"secret_keys":newKeys, "enabled":[True for j in range(5)]}
-    uk.key_type="RECOVERY"
-    uk.save()
+def randomGen(n):
+    return ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(n))
 
 def genTokens(request, softGen=False):
     if not softGen or (softGen and token_left(request) == 0):
@@ -50,7 +38,15 @@ def genTokens(request, softGen=False):
         delTokens(request)
         number = 5
         #Then generate new one
-        newTokens(request.user.username)
+        newKeys = []
+        for i in range(5):
+                token = randomGen(5) + "-" + randomGen(5)
+                newKeys.append(token)
+        uk=User_Keys()
+        uk.username = request.user.username
+        uk.properties={"secret_keys":newKeys, "enabled":[True for j in range(5)]}
+        uk.key_type="RECOVERY"
+        uk.save()
     return HttpResponse("Success")
 
 
@@ -100,7 +96,7 @@ def auth(request):
                 return login(request)
     elif request.method=="GET":
         mfa = request.session["mfa"]
-        if mfa and mfa["verified"] and mfa["method"] == "RECOVERY" and "lastBackup":
+        if mfa and mfa["verified"] and mfa["lastBackup"]:
             return login(request)
 
     context["invalid"]=True