remove totp, cleanup, bugfixes
This commit is contained in:
parent
bd7d8e4398
commit
368f2396ce
13 changed files with 22 additions and 293 deletions
|
|
@ -47,38 +47,8 @@ class PasswordAuthProvider(AuthProvider):
|
|||
return compare_hash(crypt.crypt(password, user.password_hashed),user.password_hashed)
|
||||
|
||||
|
||||
class U2FAuthProvider(AuthProvider):
|
||||
@staticmethod
|
||||
def get_from() -> FlaskForm:
|
||||
return Fido2Form(prefix='fido2')
|
||||
|
||||
|
||||
class WebAuthProvider(AuthProvider):
|
||||
pass
|
||||
|
||||
|
||||
class TotpAuthProvider(AuthProvider):
|
||||
|
||||
@staticmethod
|
||||
def get_form():
|
||||
return TotpForm(prefix='totp')
|
||||
|
||||
@staticmethod
|
||||
def check_auth(user: User, form: FlaskForm) -> bool:
|
||||
data = form.data['totp']
|
||||
if data is not None:
|
||||
#print(f'data totp: {data}')
|
||||
if len(user.totps) == 0: # migration, TODO remove
|
||||
return True
|
||||
for totp in user.totps:
|
||||
if totp.verify(data):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
AUTH_PROVIDER_LIST = [
|
||||
PasswordAuthProvider,
|
||||
TotpAuthProvider
|
||||
PasswordAuthProvider
|
||||
]
|
||||
|
||||
#print(LdapAuthProvider.get_name())
|
||||
|
|
|
|||
|
|
@ -20,13 +20,6 @@ class PasswordForm(FlaskForm):
|
|||
password = PasswordField(gettext('Password'))
|
||||
submit = SubmitField(gettext('Authorize'))
|
||||
|
||||
|
||||
class TotpForm(FlaskForm):
|
||||
totp = StringField(gettext('2FA Token'))
|
||||
submit = SubmitField(gettext('Authorize'))
|
||||
|
||||
|
||||
|
||||
class ConsentForm(FlaskForm):
|
||||
# scopes = SelectMultipleField(gettext('scopes'))
|
||||
# audiences = SelectMultipleField(gettext('audiences'))
|
||||
|
|
|
|||
|
|
@ -22,17 +22,6 @@ class ClientCertForm(FlaskForm):
|
|||
])
|
||||
submit = SubmitField(gettext('Submit'))
|
||||
|
||||
|
||||
class TOTPForm(FlaskForm):
|
||||
secret = HiddenField(gettext('totp-Secret'))
|
||||
token = StringField(gettext('totp-verify token'))
|
||||
name = StringField(gettext('name'))
|
||||
submit = SubmitField(gettext('Activate'))
|
||||
|
||||
|
||||
class TOTPDeleteForm(FlaskForm):
|
||||
submit = SubmitField(gettext('Delete'))
|
||||
|
||||
class AppTokenForm(FlaskForm):
|
||||
name = StringField(gettext('name'), validators=[DataRequired(),Length(min=1, max=255) ])
|
||||
scopes = StringField(gettext('scopes'), validators=[DataRequired(),Length(min=1, max=255) ])
|
||||
|
|
@ -41,11 +30,10 @@ class AppTokenForm(FlaskForm):
|
|||
class AppTokenDeleteForm(FlaskForm):
|
||||
submit = SubmitField(gettext('Delete'))
|
||||
|
||||
class WebauthnRegisterForm(FlaskForm):
|
||||
"""webauthn register token form"""
|
||||
class PasskeyRegisterForm(FlaskForm):
|
||||
"""Passkey register form"""
|
||||
|
||||
attestation = HiddenField('Attestation', [InputRequired()])
|
||||
name = StringField('Name', [Length(max=250)])
|
||||
name = StringField('Name', [Length(max=50)])
|
||||
submit = SubmitField('Register', render_kw={'disabled': True})
|
||||
|
||||
class PasswordChangeForm(FlaskForm):
|
||||
|
|
|
|||
|
|
@ -163,12 +163,8 @@ class User(BaseModel, ModelUpdatedMixin):
|
|||
enabled: Mapped[bool] = mapped_column(db.Boolean, nullable=False, default=False)
|
||||
|
||||
app_tokens: Mapped[List['AppToken']] = relationship('AppToken', back_populates='user')
|
||||
# totps: Mapped[List['Totp']] = relationship('Totp', back_populates='user', default_factory=list)
|
||||
passkey_credentials: Mapped[List['PasskeyCredential']] = relationship('PasskeyCredential', back_populates='user', cascade='delete,delete-orphan', passive_deletes=True)
|
||||
|
||||
@property
|
||||
def totps(self) -> List['Totp']:
|
||||
return []
|
||||
|
||||
def __init__(self, **kwargs) -> None:
|
||||
super().__init__(**kwargs)
|
||||
|
|
@ -226,20 +222,6 @@ class AppToken(BaseModel, ModelUpdatedMixin):
|
|||
token = ''.join(secrets.choice(alphabet) for i in range(12))
|
||||
return AppToken(scopes=scopes, token=token, user=user, name=name)
|
||||
|
||||
class Totp(BaseModel, ModelUpdatedMixin):
|
||||
id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
|
||||
secret: Mapped[str] = mapped_column(db.String, nullable=False)
|
||||
name: Mapped[str] = mapped_column(db.String, nullable=False)
|
||||
|
||||
user_id: Mapped[uuid.UUID] = mapped_column(
|
||||
db.Uuid,
|
||||
db.ForeignKey(User.id), nullable=False)
|
||||
# user: Mapped[User] = relationship(User, back_populates="totp")
|
||||
last_used: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True, default=None)
|
||||
|
||||
def verify(self, token: str) -> bool:
|
||||
totp = pyotp.TOTP(self.secret)
|
||||
return totp.verify(token)
|
||||
|
||||
|
||||
class PasskeyCredential(BaseModel, ModelUpdatedMixin): # pylint: disable=too-few-public-methods
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@
|
|||
{#<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.client_cert') }}">{{ gettext('Client Cert') }}</a></li>#}
|
||||
<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.passkey') }}">{{ gettext('Passkey') }}</a></li>
|
||||
<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.app_token') }}">{{ gettext('App Tokens') }}</a></li>
|
||||
<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.totp') }}">{{ gettext('2FA - TOTP') }}</a></li>
|
||||
<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.oauth2_tokens') }}">{{ gettext('Oauth2 Tokens') }}</a></li>
|
||||
<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.password_change') }}">{{ gettext('Password Change') }}</a></li>
|
||||
<li class="nav-item"><a class="nav-link" href="{{ url_for('frontend.logout') }}">{{ gettext('Logout') }}</a></li>
|
||||
|
|
|
|||
|
|
@ -21,10 +21,12 @@
|
|||
<td>{{ credential.credential_id[0:8].hex() }}...</td>
|
||||
<td>{{ credential.last_used }}</td>
|
||||
<td>{{ credential.created_at }}...</td>
|
||||
<td>{{ render_form(button_form, action_url=url_for('.passkey_delete', id=credential.id), action_text='delete', btn_class='btn btn-danger') }}</td>
|
||||
<td>
|
||||
{{ render_form(button_form, action_url=url_for('.passkey_delete', id=credential.id), action_text='delete', btn_class='btn btn-danger') }}</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
</table>
|
||||
<a class="btn btn-primary" href="{{ url_for('.passkey_new')}}">Add new Passkey</a>
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
{% extends 'frontend/base.html.j2' %}
|
||||
|
||||
{% block title %}{{ gettext('2FA - TOTP') }}{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
|
||||
<table class="table">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>name</th>
|
||||
<th>created_at</th>
|
||||
<th>action<th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for totp in current_user.totps %}
|
||||
<tr>
|
||||
<td>{{ totp.name }}</td>
|
||||
<td>{{ totp.created_at }}</td>
|
||||
<td>{{ render_form(delete_form, action_url=url_for('frontend.totp_delete', totp_name=totp.name)) }}</td>
|
||||
{% endfor %}
|
||||
</table>
|
||||
<a class="btn btn-default" href="{{ url_for('frontend.totp_new') }}">
|
||||
New TOTP
|
||||
</a>
|
||||
|
||||
{% endblock %}
|
||||
|
||||
|
||||
{% block script_js %}
|
||||
|
||||
totp.init_list();
|
||||
|
||||
|
||||
{% endblock %}
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
{% extends 'frontend/base.html.j2' %}
|
||||
|
||||
{% block title %}{{ gettext('2FA - TOTP - New') }}{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
|
||||
{{ render_form(form) }}
|
||||
|
||||
<div id="svg-container">
|
||||
</div>
|
||||
|
||||
{% endblock %}
|
||||
|
||||
|
||||
{% block script_js %}
|
||||
|
||||
totp.init_new();
|
||||
|
||||
|
||||
{% endblock %}
|
||||
|
|
@ -51,9 +51,13 @@ async def consent() -> ResponseReturnValue:
|
|||
|
||||
if form.validate_on_submit() or consent_request.skip:
|
||||
|
||||
if type(consent_request.subject) != str:
|
||||
logger.error("not set subject `consent_request.subject`")
|
||||
return 'internal error', 500
|
||||
uid = UUID(consent_request.subject)
|
||||
user = User.query.get(uid)
|
||||
if user is None:
|
||||
logger.error("user not found, even if it should exist")
|
||||
return 'internal error', 500
|
||||
access_token = {
|
||||
'name': str(user.username),
|
||||
|
|
|
|||
|
|
@ -25,10 +25,9 @@ from webauthn.helpers.structs import (
|
|||
UserVerificationRequirement,
|
||||
)
|
||||
|
||||
from ..model import db, User, Totp, AppToken, PasskeyCredential
|
||||
from ..form.frontend import ClientCertForm, TOTPForm, \
|
||||
TOTPDeleteForm, PasswordChangeForm, WebauthnRegisterForm, \
|
||||
AppTokenForm, AppTokenDeleteForm
|
||||
from ..model import db, User, AppToken, PasskeyCredential
|
||||
from ..form.frontend import ClientCertForm, PasswordChangeForm, \
|
||||
AppTokenForm, AppTokenDeleteForm, PasskeyRegisterForm
|
||||
from ..form.base import ButtonForm
|
||||
from ..auth_providers import PasswordAuthProvider
|
||||
from .oauth2 import redirect_login, oauth2
|
||||
|
|
@ -188,43 +187,6 @@ def app_token_delete(app_token_name: str) -> ResponseReturnValue:
|
|||
|
||||
return redirect(url_for('frontend.app_token'))
|
||||
|
||||
@frontend_views.route('/totp')
|
||||
def totp() -> ResponseReturnValue:
|
||||
delete_form = TOTPDeleteForm()
|
||||
return render_template('frontend/totp.html.j2', delete_form=delete_form)
|
||||
|
||||
|
||||
@frontend_views.route('/totp/new', methods=['GET', 'POST'])
|
||||
def totp_new() -> ResponseReturnValue:
|
||||
form = TOTPForm()
|
||||
|
||||
if form.validate_on_submit():
|
||||
totp = Totp(name=form.data['name'], secret=form.data['secret'], user=get_current_user())
|
||||
if totp.verify(form.data['token']):
|
||||
get_current_user().totps.append(totp)
|
||||
db.session.commit()
|
||||
return jsonify({
|
||||
'status': 'ok'})
|
||||
else:
|
||||
return jsonify({
|
||||
'status': 'error',
|
||||
'errors': [
|
||||
'TOTP Token invalid'
|
||||
]})
|
||||
return render_template('frontend/totp_new.html.j2', form=form)
|
||||
|
||||
|
||||
@frontend_views.route('/totp/<totp_name>/delete', methods=['GET', 'POST'])
|
||||
def totp_delete(totp_name) -> ResponseReturnValue:
|
||||
totp = Totp.query.filter(Totp.name == totp_name).first() # type: Optional[Totp]
|
||||
db.session.delete(totp)
|
||||
db.session.commit()
|
||||
|
||||
return jsonify({
|
||||
'status': 'ok'})
|
||||
|
||||
|
||||
|
||||
## Passkey
|
||||
|
||||
@frontend_views.route('/passkey/list', methods=['GET'])
|
||||
|
|
@ -243,7 +205,7 @@ def passkey_new() -> ResponseReturnValue:
|
|||
|
||||
|
||||
user = get_current_user() # type: User
|
||||
form = WebauthnRegisterForm()
|
||||
form = PasskeyRegisterForm()
|
||||
|
||||
options = webauthn.generate_registration_options(
|
||||
rp_name="Lenticluar Cloud",
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
from authlib.integrations.flask_client import OAuth
|
||||
from authlib.integrations.base_client.errors import MismatchingStateError, OAuthError
|
||||
from flask import Flask, Blueprint, Response, session, request, redirect, url_for
|
||||
from flask_login import login_user, logout_user, current_user
|
||||
from flask import Flask, Blueprint, current_app, session, request, redirect, url_for
|
||||
from flask_login import login_user, logout_user
|
||||
from flask.typing import ResponseReturnValue
|
||||
from flask_login import LoginManager
|
||||
from typing import Optional
|
||||
|
|
@ -29,7 +29,8 @@ login_manager = LoginManager()
|
|||
def redirect_login() -> ResponseReturnValue:
|
||||
logout_user()
|
||||
session['next_url'] = request.path
|
||||
redirect_uri = url_for('oauth2.authorized', _external=True)
|
||||
public_url = current_app.config['PUBLIC_URL']
|
||||
redirect_uri = public_url + url_for('oauth2.authorized')
|
||||
response = oauth2.custom.authorize_redirect(redirect_uri)
|
||||
if not isinstance(response, WerkzeugResponse):
|
||||
raise RuntimeError("invalid redirect")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue