Newer
Older
#!/usr/bin/python
# -*- coding: UTF-8 -*-
from cStringIO import StringIO
from email.mime.application import MIMEApplication
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from logging.config import dictConfig
from threading import Thread
import functools
from flask import render_template, send_from_directory
from flask import request, has_request_context
from flask import send_file
from flask import session
from flask import url_for
from flask_compress import Compress
from werkzeug import abort, redirect
from werkzeug.http import http_date
from werkzeug.middleware.proxy_fix import ProxyFix
import pytz
import time
from PiAnoS import caseExistsInDB
import utils
from functions import redis_cache
from functions import dek_generate, do_encrypt_dek, do_decrypt_dek, dek_check
from functions import do_encrypt_user_session, do_decrypt_user_session
from functions import no_preview_image
################################################################################
from version import __version__, __branch__, __commit__, __commiturl__, __treeurl__
################################################################################
Marco De Donno
committed
Image.MAX_IMAGE_PIXELS = 1 * 1024 * 1024 * 1024
################################################################################
class RequestFormatter( logging.Formatter ):
def format( self, record ):
if has_request_context():
try:
username = session[ "username" ]
except:
username = "-"
record.msg = "{REMOTE_ADDR} (" + username + ") - " + record.msg
record.msg = record.msg.format( **request.headers.environ )
return super( RequestFormatter, self ).format( record )
dictConfig( {
'version': 1,
'formatters': {
'default': {
'()': 'module.RequestFormatter',
'format': '[%(asctime)s] %(levelname)s: \t%(message)s',
}
},
'handlers': {
'console': {
'class': 'logging.StreamHandler',
'formatter': 'default'
}
},
'root': {
'level': 'INFO',
'handlers': [ 'console' ]
}
} )
################################################################################
if config.PROXY:
app.wsgi_app = ProxyFix( app.wsgi_app )
baseurl = os.environ.get( "BASEURL", "" )
envtype = os.environ.get( "ENVTYPE", "" )
################################################################################
gnupg._parsers.Verify.TRUST_LEVELS[ "ENCRYPTION_COMPLIANCE_MODE" ] = 23
################################################################################
Marco De Donno
committed
# Decorators
Marco De Donno
committed
def session_field_required( field, value ):
def decorator( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
if not field in session:
return redirect( url_for( "login" ) )
elif not session.get( field ) == value:
return redirect( url_for( "login" ) )
return func( *args, **kwargs )
return wrapper_login_required
return decorator
def login_required( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
return redirect( url_for( "login" ) )
return func( *args, **kwargs )
return wrapper_login_required
def referer_required( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
if not request.headers.get( "Referer", False ):
return "referrer needed", 404
return func( *args, **kwargs )
return wrapper_login_required
def admin_required( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
if not session.get( "logged", False ) or not session.get( "account_type_name", None ) == "Administrator":
return redirect( url_for( "login" ) )
return func( *args, **kwargs )
return wrapper_login_required
@redis_cache( 15 * 60 )
def check_correct_submitter( submission_id, submitter_id ):
sql = """
SELECT count( * )
FROM submissions
WHERE uuid = %s AND submitter_id = %s
"""
check = config.db.query_fetchone( sql, ( submission_id, submitter_id, ) )[ "count" ]
return check == 1
def submission_has_access( func ):
@functools.wraps( func )
def wrapper_login_required( *args, **kwargs ):
submission_id = request.view_args.get( "submission_id", None )
user_id = session.get( "user_id" )
if not session.get( "logged", False ) or not session.get( "account_type_name", None ) == "Submitter":
return redirect( url_for( "login" ) )
elif submission_id != None and not check_correct_submitter( submission_id, user_id ):
return abort( 403 )
else:
return func( *args, **kwargs )
return wrapper_login_required
################################################################################
# Overloads
def my_render_template( *args, **kwargs ):
kwargs[ "baseurl" ] = baseurl
kwargs[ "envtype" ] = envtype
kwargs[ "js" ] = config.cdnjs
kwargs[ "css" ] = config.cdncss
kwargs[ "session_timeout" ] = config.session_timeout
kwargs[ "session_security_key" ] = session.get( "session_security_key" )
kwargs[ "account_type" ] = session.get( "account_type", None )
kwargs[ "nist_file_extensions" ] = json.dumps( config.NIST_file_extensions )
Marco De Donno
committed
if session.get( "account_type", False ):
at = account_type_id_name[ session.get( "account_type" ) ]
kwargs[ "navigation" ] = "navigations/{}.html".format( at.lower() )
kwargs[ "pianosendpoint" ] = config.pianosendpoint
return render_template( *args, **kwargs )
################################################################################
# Generic routing
@app.route( "/ping" )
@app.route( baseurl + "/ping" )
"""
Ping function to check if the web application is healthy.
"""
"""
Function to report the version of the web app.
The version.py file is re-generated by the CI/CD for production.
"""
"error": False,
"version": __version__,
"branch": __branch__,
"commit": __commit__,
"commiturl": __commiturl__,
"treeurl": __treeurl__
} )
except:
return jsonify( {
"error": True
} )
################################################################################
# CDN serving
@app.route( baseurl + "/cdn/<path:subpath>" )
def send_cdn_files( subpath ):
"""
Serve the files from the cdn directory.
"""
return send_from_directory( "cdn", subpath )
################################################################################
# App serving
@app.route( baseurl + "/app/<path:subpath>" )
def send_app_files( subpath ):
"""
Serve the file from the app directory (all files related to the ICNML application).
"""
return send_from_directory( "app", subpath )
@app.route( baseurl + "/static/<path:subpath>" )
def send_static_files( subpath ):
"""
Serve static files from the static directory.
"""
return send_from_directory( "static", subpath )
################################################################################
# Headers
@app.after_request
def add_header( r ):
if not request.path.startswith( baseurl + "/cdn" ):
r.headers[ "Last-Modified" ] = http_date( datetime.now() )
r.headers[ "Cache-Control" ] = "no-cache, no-store, must-revalidate, max-age=0, s-maxage=0"
r.headers[ "Pragma" ] = "no-cache"
r.headers[ "Expires" ] = "0"
################################################################################
# Sessions
@app.before_request
def renew_session():
"""
Reset the timer before the automatic-logout.
This function is called before every HTTP call.
"""
session.permanent = True
app.permanent_session_lifetime = timedelta( seconds = config.session_timeout )
"""
App route to know if the user is logged in the ICNML main application.
This route is used by nginx to protect some other locations, for example
the PiAnoS dedicated pages.
The session countdown timer is resetted to allow the user to use the protected
location for the rest of the timeout.
"""
app.logger.info( "Check if the user is connected" )
if session.get( "logged", False ):
return "ok"
else:
return abort( 403 )
"""
Logout the user, clear the session and redirect to the login page.
"""
app.logger.info( "Logout and clear session" )
session_clear_and_prepare()
def session_clear_and_prepare():
"""
Clear the session related to the user and initialize the login related variables.
"""
session[ "process" ] = "login"
session[ "need_to_check" ] = [ "password" ]
session[ "logged" ] = False
session[ "session_security_key" ] = str( uuid4() )
"""
Route to serve the login.html page.
"""
app.logger.info( "Login start" )
return my_render_template( "login.html" )
@app.route( baseurl + "/do/login", methods = [ "POST" ] )
"""
Function to manadge the login workflow and check the username, password and TOTP data.
This function is called multiple times because the check is done only for one data
type at the time.
If all the checks are OK, the user has provided all needed information, hence is logged in.
"""
#TODO: double-check this function with someone external
#TODO: combine the security key checks in this function
need_to_check = session.get( "need_to_check", [ "password" ] )
try:
current_check = need_to_check[ 0 ]
except:
current_check = None
session[ "need_to_check" ] = need_to_check
app.logger.info( "Current check: {}".format( current_check ) )
############################################################################
# Username and password check
user = config.db.query_fetchone( "SELECT * FROM users WHERE username = %s", ( request.form.get( "username" ), ) )
app.logger.error( "Username not found in the database" )
} )
form_password = request.form.get( "password", None )
if form_password == None or not utils.hash.pbkdf2( form_password, user[ "password" ] ).verify():
app.logger.error( "Password not validated" )
app.logger.error( "User not active" )
return jsonify( {
"error": False,
"logged": False,
"message": "Your account is not activated. Please contact an administrator (icnml@unil.ch)."
} )
else:
session[ "username" ] = user[ "username" ]
session[ "user_id" ] = user[ "id" ]
session[ "password_check" ] = True
app.logger.info( "User '{}' checked by password".format( user[ "username" ] ) )
session[ "need_to_check" ].remove( current_check )
session[ "password" ] = utils.hash.pbkdf2( form_password, "AES256", config.PASSWORD_NB_ITERATIONS ).hash()
sql = "SELECT count( * ) FROM webauthn WHERE user_id = %s AND active = TRUE"
security_keys_count = config.db.query_fetchone( sql, ( user[ "id" ], ) )[ "count" ]
app.logger.info( "Number of security keys: {}".format( security_keys_count ) )
app.logger.info( "TOTP: {}".format( user[ "totp" ] is not None ) )
if security_keys_count > 0:
session[ "need_to_check" ].append( "securitykey" )
elif user[ "totp" ]:
session[ "need_to_check" ].append( "totp" )
app.logger.error( "Second factor missing" )
return jsonify( {
"error": False,
"logged": False,
"message": "Second factor missing. Contact the ICNML administrator (icnml@unil.ch)."
} )
############################################################################
# Time-based One Time Password check
user = config.db.query_fetchone( "SELECT username, totp FROM users WHERE username = %s", ( session[ "username" ], ) )
totp_db = pyotp.TOTP( user[ "totp" ] )
Marco De Donno
committed
totp_user = request.form.get( "totp", None )
if totp_user == None:
return jsonify( {
"error": True,
"message": "No TOTP provided"
} )
app.logger.info( "TOTP expected now: {}".format( totp_db.now() ) )
app.logger.info( "TOTP provided: {}".format( totp_user ) )
if not totp_db.verify( totp_user, valid_window = config.TOTP_VALIDWINDOW ):
app.logger.error( "TOTP not valid in a {} time window".format( config.TOTP_VALIDWINDOW ) )
app.logger.info( "TOTP check for a bigger time window" )
# Check for a possible time difference
now = datetime.now()
time_diff = None
try:
for i in xrange( config.TOTP_VALIDWINDOW, config.TOTP_MAX_VALIDWINDOW ):
for m in [ -1, 1 ]:
if pyotp.utils.strings_equal( totp_user, totp_db.at( now, i * m ) ):
raise
else:
app.logger.error( "TOTP not valid for this secret in a timeframe of {}".format( config.TOTP_MAX_VALIDWINDOW ) )
except:
time_diff = i * m * totp_db.interval
app.logger.info( "TOTP valid for {} seconds".format( time_diff ) )
# Error return
"error": False,
"logged": False,
"message": "Wrong TOTP",
"time_diff": time_diff,
"time": time.time()
app.logger.info( "Valid TOTP in a {} time window".format( config.TOTP_VALIDWINDOW ) )
session[ "need_to_check" ].remove( current_check )
############################################################################
# Check if all the data has been provided; login if ok
if len( session[ "need_to_check" ] ) == 0 and session.get( "password_check", False ):
for key in [ "process", "need_to_check", "password_check" ]:
Marco De Donno
committed
if key in session:
session.pop( key )
app.logger.info( "User '{}' connected".format( session[ "username" ] ) )
sql = """
SELECT users.type, account_type.name as account_type_name
FROM users
LEFT JOIN account_type ON users.type = account_type.id
WHERE username = %s
"""
user = config.db.query_fetchone( sql, ( session[ "username" ], ) )
Marco De Donno
committed
session[ "account_type" ] = int( user[ "type" ] )
session[ "account_type_name" ] = user[ "account_type_name" ]
app.logger.info( "Push '{}' as next login step".format( session[ "need_to_check" ][ 0 ] ) )
"error": False,
"next_step": session[ "need_to_check" ][ 0 ]
################################################################################
def password_reset():
"""
Serve the password_reset.html page.
"""
session[ "process" ] = "request_password_reset"
return my_render_template( "users/password_reset.html" )
@app.route( baseurl + "/do/reset_password", methods = [ "POST" ] )
def do_password_reset():
"""
Start the check of the username for a password reset.
The check is done in a thread to allow a fast "OK" response, even if the username
does not exists. This prevent data extraction (presence or not of a username).
"""
email = request.form.get( "email", None )
app.logger.info( "Start a password reset procedure for '{}'".format( email ) )
Thread( target = do_password_reset_thread, args = ( email, ) ).start()
return jsonify( {
} )
def do_password_reset_thread( email ):
"""
Search in the database if the provided email is present, and send the password reset email if so.
"""
Marco De Donno
committed
if email == None:
return False
else:
users = config.db.query_fetchall( "SELECT id, username, email FROM users" )
Marco De Donno
committed
for user in users:
app.logger.debug( "Password reset - Checking '{}' against '{}'".format( email, user[ "username" ] ) )
if not user[ "email" ].startswith( "pbkdf2$" ):
Marco De Donno
committed
continue
elif utils.hash.pbkdf2( email, user[ "email" ] ).verify():
user_id = hashlib.sha512( utils.rand.random_data( 100 ) ).hexdigest()
Marco De Donno
committed
####################################################################
data = {
"process_id": user_id,
Marco De Donno
committed
}
data = json.dumps( data )
data = base64.b64encode( data )
reset_id = "reset_{}".format( user_id )
config.redis_shared.set( reset_id, data, ex = 24 * 3600 )
Marco De Donno
committed
####################################################################
with app.app_context(), app.test_request_context():
url = config.domain + url_for( "password_reset_stage2", user_id = user_id )
email_content = utils.template.render_jinja_html(
Marco De Donno
committed
"templates/email", "reset.html",
Marco De Donno
committed
username = user[ "username" ]
)
msg = MIMEText( email_content, "html" )
msg[ "Subject" ] = "ICNML - User password reset"
msg[ "From" ] = config.sender
msg[ "To" ] = email
Marco De Donno
committed
with mySMTP() as s:
s.sendmail( config.sender, [ email ], msg.as_string() )
found.append( user[ "username" ] )
if len( found ) > 0:
app.logger.info( "Password reset - '{}' found against {}".format( email, ", ".join( found ) ) )
else:
app.logger.error( "Password reset - '{}' not found".format( email ) )
@app.route( baseurl + "/reset_password_stage2/<user_id>", methods = [ "GET", "POST" ] )
def password_reset_stage2( user_id ):
"""
Serve the reset password, second stage (password edit fields) page,
and set the data in the database if provided.
"""
#TODO: double-check this function with someone external
app.logger.info( "Starting password reset stage 2" )
reset_id = "reset_{}".format( user_id )
data = config.redis_shared.get( reset_id )
if data != None:
data = base64.b64decode( data )
data = json.loads( data )
password = request.form.get( "password", None )
userid = data.get( "user_id", None )
if password != None:
password = utils.hash.pbkdf2( password, utils.rand.random_data( config.EMAIL_SALT_LENGTH ), config.EMAIL_NB_ITERATIONS ).hash()
config.db.query( "UPDATE users SET password = %s WHERE id = %s", ( password, userid ) )
config.db.commit()
app.logger.debug( "Password updated for user id '{}'".format( userid ) )
reset_id = "reset_{}".format( user_id )
config.redis_shared.delete( reset_id )
return jsonify( {
"error": False,
"password_updated": True
} )
else:
app.logger.debug( "Password reset template render" )
"users/password_reset_stage2.html",
user_id = user_id
)
else:
app.logger.error( "No reset procedure found for '{}'".format( user_id ) )
return jsonify( {
"error": True,
"message": "Reset procedure not found/expired"
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
################################################################################
# TOTP reset
@app.route( baseurl + "/reset_totp" )
def totp_reset():
"""
Serve the password_reset.html page.
"""
session.clear()
session[ "process" ] = "request_totp_reset"
return my_render_template( "users/totp_reset.html" )
@app.route( baseurl + "/do/reset_totp", methods = [ "POST" ] )
def do_totp_reset():
"""
Start the check of the username for a TOTP reset.
The check is done in a thread to allow a fast "OK" response, even if the username
does not exists. This prevent data extraction (presence or not of a username).
"""
email = request.form.get( "email", None )
app.logger.info( "Start a TOTP reset procedure for '{}'".format( email ) )
Thread( target = do_totp_reset_thread, args = ( email, ) ).start()
return jsonify( {
"error": False,
"message": "OK"
} )
def do_totp_reset_thread( email ):
"""
Search in the database if the provided email is present, and send the totp reset email if so.
"""
if email == None:
return False
else:
users = config.db.query_fetchall( "SELECT id, username, email FROM users" )
found = []
for user in users:
app.logger.debug( "TOTP reset - Checking '{}' against '{}'".format( email, user[ "username" ] ) )
if not user[ "email" ].startswith( "pbkdf2$" ):
continue
elif utils.hash.pbkdf2( email, user[ "email" ] ).verify():
user_id = hashlib.sha512( utils.rand.random_data( 100 ) ).hexdigest()
####################################################################
data = {
"process": "totp_reset",
"process_id": user_id,
"user_id": user[ "id" ],
"username": user[ "username" ]
}
data = json.dumps( data )
data = base64.b64encode( data )
reset_id = "reset_{}".format( user_id )
config.redis_shared.set( reset_id, data, ex = 24 * 3600 )
####################################################################
with app.app_context(), app.test_request_context():
url = config.domain + url_for( "totp_reset_stage2", user_id = user_id )
email_content = utils.template.render_jinja_html(
"templates/email", "reset.html",
url = url,
username = user[ "username" ]
)
msg = MIMEText( email_content, "html" )
msg[ "Subject" ] = "ICNML - User TOTP reset"
msg[ "From" ] = config.sender
msg[ "To" ] = email
with mySMTP() as s:
s.sendmail( config.sender, [ email ], msg.as_string() )
found.append( user[ "username" ] )
if len( found ) > 0:
app.logger.info( "TOTP reset - '{}' found against {}".format( email, ", ".join( found ) ) )
else:
app.logger.error( "TOTP reset - '{}' not found".format( email ) )
@app.route( baseurl + "/reset_totp_stage2/<user_id>", methods = [ "GET", "POST" ] )
def totp_reset_stage2( user_id ):
"""
Serve the reset totp, second stage (password edit fields) page,
and set the data in the database if provided.
"""
app.logger.info( "Starting TOTP reset stage 2" )
reset_id = "reset_{}".format( user_id )
data = config.redis_shared.get( reset_id )
if data != None:
data = base64.b64decode( data )
data = json.loads( data )
totp = request.form.get( "totp", None )
userid = data.get( "user_id", None )
session[ "username" ] = data.get( "username", None )
if totp != None:
config.db.query( "UPDATE users SET totp = %s WHERE id = %s", ( totp, userid ) )
config.db.commit()
app.logger.debug( "totp updated for user id '{}'".format( userid ) )
reset_id = "reset_{}".format( user_id )
config.redis_shared.delete( reset_id )
return jsonify( {
"error": False,
"totp_updated": True
} )
else:
app.logger.debug( "TOTP reset template render" )
return my_render_template(
"users/totp_reset_stage2.html",
user_id = user_id,
secret = get_secret()
)
else:
app.logger.error( "No reset procedure found for '{}'".format( user_id ) )
return jsonify( {
"error": True,
"message": "Reset procedure not found/expired"
} )
################################################################################
@app.route( baseurl + "/webauthn/admin" )
@login_required
"""
Serve the administartion page for the FIDO2 keys.
"""
app.logger.info( "Webauthn admin page" )
"webauthn/admin.html",
keys = do_webauthn_get_list_of_keys( all_keys = True )
def do_webauthn_get_list_of_keys( uid = None, all_keys = False ):
"""
Get the list of keys for a particular user.
Can be filtered by active keys only with the `all_keys` parameter.
If the user id (uid) variable is not passed in parameter, the id of the currently logged user will be used (via the session).
"""
user_id = session.get( "user_id", uid )
app.logger.info( "Retrieving the security keys for user '{}'".format( session[ "username" ] ) )
SELECT
id, key_name as name,
created_on, last_usage, usage_counter,
active
FROM webauthn
WHERE user_id = %s
"""
if not all_keys:
sql += " ORDER BY key_name ASC"
keys = config.db.query_fetchall( sql, ( user_id, ) )
data = []
for key in keys:
data.append( dict( key ) )
app.logger.debug( "key '{}' ({}) loaded".format( key[ "name" ], key[ "id" ] ) )
app.logger.info( "{} keys found in the database".format( len( data ) ) )
@app.route( baseurl + "/webauthn/begin_activate", methods = [ "POST" ] )
@login_required
def webauthn_begin_activate():
"""
Start the registering process for a new security key.
The json returned will be used by the javascript navigator.credentials.create() function.
"""
app.logger.info( "Start the registring process for a new security key" )
session[ "key_name" ] = request.form.get( "key_name", None )
username = session.get( "username" )
challenge = pyotp.random_base32( 64 )
ukey = pyotp.random_base32( 64 )
app.logger.debug( "User: {}".format( username ) )
app.logger.debug( "Challenge: {}".format( challenge ) )
session[ "challenge" ] = challenge
session[ "register_ukey" ] = ukey
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge, config.rp_name, config.RP_ID,
ukey, username, username,
None
)
Marco De Donno
committed
registration_dict = make_credential_options.registration_dict
registration_dict[ "authenticatorSelection" ] = {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": False,
"userVerification": "discouraged"
Marco De Donno
committed
}
return jsonify( registration_dict )
@app.route( baseurl + "/webauthn/verify", methods = [ "POST" ] )
@login_required
def webauthn_verify():
"""
Verify the data produced by the security key while registring
(with the navigator.credentials.create() function).
"""
app.logger.info( "Start webauthn verification process" )
challenge = session[ "challenge" ]
user_id = session[ "user_id" ]
key_name = session.get( "key_name", None )
app.logger.debug( "Session challenge: {}".format( challenge ) )
app.logger.debug( "Session user_id: {}".format( user_id ) )
app.logger.debug( "Session key_name: {}".format( key_name ) )
webauthn_registration_response = webauthn.WebAuthnRegistrationResponse(
config.RP_ID,
config.ORIGIN,
challenge
)
try:
webauthn_credential = webauthn_registration_response.verify()
app.logger.info( "Verification OK" )
except Exception as e:
app.logger.info( "Verification failed" )
"error": True,
"message": "Registration failed. Error: {}".format( e )
app.logger.info( "Insertion of the key to the database" )
utils.sql.sql_insert_generate( "webauthn", [ "user_id", "key_name", "ukey", "credential_id", "pub_key", "sign_count" ] ),
user_id, key_name,
ukey, webauthn_credential.credential_id,
webauthn_credential.public_key, webauthn_credential.sign_count,
)
config.db.commit()
return jsonify( {
"success": "User successfully registered."
} )
app.logger.error( "Database insertion error" )
return jsonify( {
"error": True,
"message": "Database error"
} )
################################################################################
@app.route( baseurl + "/webauthn/delete", methods = [ "POST" ] )
@login_required
def webauthn_delete_key():
"""
Delete a key based upon the key id and name for the currently logged user.
"""
app.logger.info( "Start security deletion" )
key_id = request.form.get( "key_id", False )
app.logger.debug( "Session username: {}".format( session[ "username" ] ) )
app.logger.debug( "key_id: {}".format( key_id ) )
config.db.query( "DELETE FROM webauthn WHERE id = %s AND user_id = %s", ( key_id, userid, ) )
app.logger.debug( "Security key deleted" )
except:
app.logger.error( "Security key deletion failed" )
@app.route( baseurl + "/webauthn/disable", methods = [ "POST" ] )
@login_required
def webauthn_disable_key():
"""
Disable a particular security key for the current user.
"""
key_id = request.form.get( "key_id", False )