Newer
Older
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from flask import Blueprint
from flask import abort, redirect, jsonify, send_file
from flask import url_for, request, current_app, session
from cStringIO import StringIO
from datetime import datetime, timedelta
from email.mime.text import MIMEText
from threading import Thread
import base64
import hashlib
import time
import webauthn
import config
import utils
login_view = Blueprint( "login", __name__, template_folder = "templates" )
@login_view.route( "/is_logged" )
def is_logged():
"""
App route to know if the user is logged in the ICNML main application.
This route is used by nginx to protect some other locations, for
example the PiAnoS dedicated pages.
"""
current_app.logger.info( "Check if the user is connected" )
if session.get( "logged", False ):
return "ok"
else:
return abort( 403 )
@login_view.route( "/logout" )
def logout():
"""
Logout the user, clear the session and redirect to the login page.
"""
current_app.logger.info( "Logout and clear session" )
session_clear_and_prepare()
Marco De Donno
committed
return redirect( url_for( "login.login" ) )
def session_clear_and_prepare():
"""
Clear the session related to the user and initialize the login related
variables.
"""
session.clear()
session[ "process" ] = "login"
session[ "need_to_check" ] = [ "password" ]
session[ "logged" ] = False
@login_view.route( "/login" )
def login():
"""
Route to serve the login.html page.
"""
current_app.logger.info( "Login start" )
session_clear_and_prepare()
Marco De Donno
committed
if request.query_string != "":
session[ "url_redirect" ] = request.query_string
return utils.template.my_render_template( "login/login.html" )
@login_view.route( "/do/login", methods = [ "POST" ] )
def do_login():
"""
Function to manadge the login workflow and check the username, password
and TOTP data. This function is called multiple times because the check
is done only for one data type at the time. If all the checks are OK,
the user has provided all needed information, hence is logged in.
"""
#TODO: combine the security key checks in this function
############################################################################
# Rate limiting check
def get_rate_limit_key():
target = request.form.get( "username", "" )
Marco De Donno
committed
try:
target = request.headers.environ[ "REMOTE_ADDR" ]
except:
pass
try:
target = str( ipaddress.ip_network( unicode( target ) ).supernet( 16 ) )
Marco De Donno
committed
except:
pass
return "rate_limit_{}".format( target )
def get_current_rate_limit():
try:
return int( config.redis_dbs[ "rate_limit" ].get( get_rate_limit_key() ) )
def rate_limit_to_seconds( nb ):
return pow( config.login_rate_limiting_base, max( nb, config.login_rate_limiting_limit ) )
def trigger_rate_limit():
rate_limit_value = get_current_rate_limit() + 1
config.redis_dbs[ "rate_limit" ].set(
get_rate_limit_key(),
rate_limit_value,
ex = rate_limit_to_seconds( rate_limit_value )
)
return rate_limit_value
if get_current_rate_limit() >= config.login_rate_limiting_limit:
rate_limit_value = trigger_rate_limit()
time_to_wait = str( timedelta( seconds = rate_limit_to_seconds( rate_limit_value ) ) )
return jsonify( {
"error": False,
"logged": False,
"message": "Rate limited. Wait {} (HH:MM:SS) or contact the administrator.".format( time_to_wait )
} )
############################################################################
# Start of the user and password check
need_to_check = session.get( "need_to_check", [ "password" ] )
try:
current_check = need_to_check[ 0 ]
except:
current_check = None
session[ "need_to_check" ] = need_to_check
current_app.logger.info( "Current check: {}".format( current_check ) )
############################################################################
# Username and password check
if current_check == "password":
user = config.db.query_fetchone( "SELECT * FROM users WHERE username = %s", ( request.form.get( "username" ), ) )
if user == None:
current_app.logger.error( "Username not found in the database" )
# WASTING TIME.
# This is done to limit data extraction for exitsing (or not)
# username based upon the execution time of the login function
# (time-based side channel attack).
# FOR SECURITY REASONS, DO NOT REMOVE THIS LINE
utils.hash.pbkdf2( config.fake_hash ).verify( config.fake_hash_stored )
trigger_rate_limit()
session_clear_and_prepare()
return jsonify( {
"error": False,
"logged": False
} )
form_password = request.form.get( "password", None )
if form_password == None or not utils.hash.pbkdf2( form_password ).verify( user[ "password" ] ):
current_app.logger.error( "Password not validated" )
trigger_rate_limit()
session_clear_and_prepare()
return jsonify( {
"error": False,
"logged": False,
} )
elif not user[ "active" ]:
current_app.logger.error( "User not active" )
session_clear_and_prepare()
return jsonify( {
"error": False,
"logged": False,
"message": "Your account is not activated. Please contact an administrator (icnml@unil.ch)."
} )
else:
session[ "username" ] = user[ "username" ]
session[ "user_id" ] = user[ "id" ]
session[ "password_check" ] = True
# Check for outdated password and update it in the database if needed
_, _, salt, iterations, _ = user[ "password" ].split( "$" )
if iterations != config.PASSWORD_NB_ITERATIONS or salt.len() != config.PASSWORD_SALT_LENGTH:
new_password = utils.hash.pbkdf2(
form_password,
utils.rand.random_data( config.PASSWORD_SALT_LENGTH ),
config.PASSWORD_NB_ITERATIONS
).hash()
config.db.query( "UPDATE users SET password = %s WHERE id = %s", ( new_password, user[ "id" ] ) )
config.db.commit()
#
current_app.logger.info( "User '{}' checked by password".format( user[ "username" ] ) )
session[ "need_to_check" ].remove( current_check )
session[ "password" ] = utils.hash.pbkdf2( form_password, "AES256", config.PASSWORD_NB_ITERATIONS ).hash()
sql = "SELECT count( * ) FROM webauthn WHERE user_id = %s AND active = TRUE"
security_keys_count = config.db.query_fetchone( sql, ( user[ "id" ], ) )[ "count" ]
current_app.logger.info( "Number of security keys: {}".format( security_keys_count ) )
current_app.logger.info( "TOTP: {}".format( user[ "totp" ] is not None ) )
if config.envtype.upper() != "DEV":
hra = hashlib.sha512( request.headers.environ[ "REMOTE_ADDR" ] ).hexdigest()
username = session[ "username" ]
key = "{}_{}".format( username, hra )
saved_totp = config.redis_dbs[ "totp" ].get( key ) == "ok"
if security_keys_count > 0:
session[ "need_to_check" ].append( "securitykey" )
if saved_totp:
config.redis_dbs[ "totp" ].set( key, "ok", ex = 30 * 24 * 3600 )
pass
elif user[ "totp" ]:
session[ "need_to_check" ].append( "totp" )
else:
current_app.logger.error( "Second factor missing" )
session_clear_and_prepare()
return jsonify( {
"error": False,
"logged": False,
"next_step": "totp_reset"
} )
############################################################################
# Time-based One Time Password check
elif current_check == "totp":
user = config.db.query_fetchone( "SELECT username, totp FROM users WHERE username = %s", ( session[ "username" ], ) )
totp_db = pyotp.TOTP( user[ "totp" ] )
totp_user = request.form.get( "totp", None )
totp_save_serverside = request.form.get( "save", False )
if totp_user == None:
return jsonify( {
"error": True,
"message": "No TOTP provided"
} )
current_app.logger.info( "TOTP expected now: {}".format( totp_db.now() ) )
current_app.logger.info( "TOTP provided: {}".format( totp_user ) )
if not totp_db.verify( totp_user, valid_window = config.TOTP_VALIDWINDOW ):
current_app.logger.error( "TOTP not valid in a {} time window".format( config.TOTP_VALIDWINDOW ) )
current_app.logger.info( "TOTP check for a bigger time window" )
# Check for a possible time difference
now = datetime.now()
time_diff = None
try:
for i in xrange( config.TOTP_VALIDWINDOW, config.TOTP_MAX_VALIDWINDOW ):
for m in [ -1, 1 ]:
if pyotp.utils.strings_equal( totp_user, totp_db.at( now, i * m ) ):
raise Exception( "TOTP valid out of current time window" )
else:
current_app.logger.error( "TOTP not valid for this secret in a timeframe of {}".format( config.TOTP_MAX_VALIDWINDOW ) )
except:
time_diff = i * m * totp_db.interval
current_app.logger.info( "TOTP valid for {} seconds".format( time_diff ) )
# Error return
session[ "logged" ] = False
return jsonify( {
"error": False,
"logged": False,
"message": "Wrong TOTP",
"time_diff": time_diff,
"time": time.time()
} )
else:
current_app.logger.info( "Valid TOTP in a {} time window".format( config.TOTP_VALIDWINDOW ) )
if totp_save_serverside in [ True, "true" ]:
hra = hashlib.sha512( request.headers.environ[ "REMOTE_ADDR" ] ).hexdigest()
username = session[ "username" ]
key = "{}_{}".format( username, hra )
config.redis_dbs[ "totp" ].set( key, "ok", ex = 30 * 24 * 3600 )
session[ "need_to_check" ].remove( current_check )
############################################################################
# Check if all the data has been provided; login if ok
if len( session[ "need_to_check" ] ) == 0 and session.get( "password_check", False ):
for key in [ "process", "need_to_check", "password_check" ]:
if key in session:
session.pop( key )
session[ "logged" ] = True
current_app.logger.info( "User '{}' connected".format( session[ "username" ] ) )
sql = """
SELECT users.type, account_type.name as account_type_name
FROM users
LEFT JOIN account_type ON users.type = account_type.id
WHERE username = %s
"""
user = config.db.query_fetchone( sql, ( session[ "username" ], ) )
session[ "account_type" ] = int( user[ "type" ] )
session[ "account_type_name" ] = user[ "account_type_name" ]
config.redis_dbs[ "sessions" ].execute_command( "save" )
return jsonify( {
"error": False,
"logged": True,
} )
else:
current_app.logger.info( "Push '{}' as next login step".format( session[ "need_to_check" ][ 0 ] ) )
return jsonify( {
"error": False,
"next_step": session[ "need_to_check" ][ 0 ]
} )
################################################################################
# webauthn keys
@login_view.route( "/webauthn/admin" )
def webauthn_admin():
"""
Serve the administartion page for the FIDO2 keys.
"""
current_app.logger.info( "Webauthn admin page" )
return utils.template.my_render_template(
keys = do_webauthn_get_list_of_keys( all_keys = True )
)
def do_webauthn_get_list_of_keys( uid = None, all_keys = False ):
"""
Get the list of keys for a particular user. Can be filtered by active
keys only with the `all_keys` parameter. If the user id (uid) variable
is not passed in parameter, the id of the currently logged user will be
used (via the session).
"""
user_id = session.get( "user_id", uid )
current_app.logger.info( "Retrieving the security keys for user '{}'".format( session[ "username" ] ) )
sql = """
SELECT
id, key_name as name,
created_on, last_usage, usage_counter,
active
FROM webauthn
WHERE user_id = %s
"""
if not all_keys:
sql += " AND active = true"
sql += " ORDER BY key_name ASC"
Marco De Donno
committed
data = config.db.query_fetchall( sql, ( user_id, ) )
return data
@login_view.route( "/webauthn/begin_activate", methods = [ "POST" ] )
def webauthn_begin_activate():
"""
Start the registering process for a new security key. The json returned
will be used by the javascript navigator.credentials.create() function.
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
"""
current_app.logger.info( "Start the registring process for a new security key" )
session[ "key_name" ] = request.form.get( "key_name", None )
username = session.get( "username" )
challenge = pyotp.random_base32( 64 )
ukey = pyotp.random_base32( 64 )
current_app.logger.debug( "User: {}".format( username ) )
current_app.logger.debug( "Challenge: {}".format( challenge ) )
session[ "challenge" ] = challenge
session[ "register_ukey" ] = ukey
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
challenge, config.rp_name, config.RP_ID,
ukey, username, username,
None
)
registration_dict = make_credential_options.registration_dict
registration_dict[ "authenticatorSelection" ] = {
"authenticatorAttachment": "cross-platform",
"requireResidentKey": False,
"userVerification": "discouraged"
}
return jsonify( registration_dict )
@login_view.route( "/webauthn/verify", methods = [ "POST" ] )
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
def webauthn_verify():
"""
Verify the data produced by the security key while registring
(with the navigator.credentials.create() function).
"""
current_app.logger.info( "Start webauthn verification process" )
challenge = session[ "challenge" ]
user_id = session[ "user_id" ]
key_name = session.get( "key_name", None )
ukey = session[ "register_ukey" ]
current_app.logger.debug( "Session challenge: {}".format( challenge ) )
current_app.logger.debug( "Session user_id: {}".format( user_id ) )
current_app.logger.debug( "Session key_name: {}".format( key_name ) )
webauthn_registration_response = webauthn.WebAuthnRegistrationResponse(
config.RP_ID,
config.ORIGIN,
request.form,
challenge
)
try:
webauthn_credential = webauthn_registration_response.verify()
current_app.logger.info( "Verification OK" )
except Exception as e:
current_app.logger.info( "Verification failed" )
return jsonify( {
"error": True,
"message": "Registration failed. Error: {}".format( e )
} )
try:
current_app.logger.info( "Insertion of the key to the database" )
config.db.query(
utils.sql.sql_insert_generate( "webauthn", [ "user_id", "key_name", "ukey", "credential_id", "pub_key", "sign_count" ] ),
(
user_id, key_name,
ukey, webauthn_credential.credential_id,
webauthn_credential.public_key, webauthn_credential.sign_count,
)
)
config.db.commit()
return jsonify( {
"success": "User successfully registered."
} )
except:
current_app.logger.error( "Database insertion error" )
return jsonify( {
"error": True,
"message": "Database error"
} )
################################################################################
@login_view.route( "/webauthn/delete", methods = [ "POST" ] )
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
def webauthn_delete_key():
"""
Delete a key based upon the key id and name for the currently logged user.
"""
current_app.logger.info( "Start security deletion" )
key_id = request.form.get( "key_id", False )
userid = session[ "user_id" ]
current_app.logger.debug( "Session username: {}".format( session[ "username" ] ) )
current_app.logger.debug( "key_id: {}".format( key_id ) )
try:
config.db.query( "DELETE FROM webauthn WHERE id = %s AND user_id = %s", ( key_id, userid, ) )
config.db.commit()
current_app.logger.debug( "Security key deleted" )
return jsonify( {
"error": False
} )
except:
current_app.logger.error( "Security key deletion failed" )
return jsonify( {
"error": True
@login_view.route( "/webauthn/disable", methods = [ "POST" ] )
def webauthn_disable_key():
"""
Disable a particular security key for the current user.
"""
key_id = request.form.get( "key_id", False )
userid = session[ "user_id" ]
current_app.logger.info( "Disabling key '{}' for user '{}'".format( key_id, session[ "username" ] ) )
try:
config.db.query( "UPDATE webauthn SET active = False WHERE id = %s AND user_id = %s", ( key_id, userid, ) )
config.db.commit()
current_app.logger.debug( "Key disabled" )
return jsonify( {
"error": False
} )
except:
current_app.logger.error( "Key disabling database error" )
return jsonify( {
"error": True
@login_view.route( "/webauthn/enable", methods = [ "POST" ] )
def webauthn_enable_key():
"""
Activation of a security key for the current user.
"""
key_id = request.form.get( "key_id", False )
userid = session[ "user_id" ]
current_app.logger.info( "Enabling key '{}' for user '{}'".format( key_id, session[ "username" ] ) )
try:
config.db.query( "UPDATE webauthn SET active = True WHERE id = %s AND user_id = %s", ( key_id, userid, ) )
config.db.commit()
current_app.logger.debug( "Key enabled" )
return jsonify( {
"error": False
} )
except:
current_app.logger.error( "Key enabling database error" )
return jsonify( {
"error": True
@login_view.route( "/webauthn/rename", methods = [ "POST" ] )
def webauthn_rename_key():
"""
Rename a security key for the current user.
"""
key_id = request.form.get( "key_id", False )
key_name = request.form.get( "key_name", False )
userid = session[ "user_id" ]
current_app.logger.info( "Renaming key '{}' for user '{}'".format( key_id, session[ "username" ] ) )
try:
config.db.query( "UPDATE webauthn SET key_name = %s WHERE id = %s AND user_id = %s", ( key_name, key_id, userid, ) )
config.db.commit()
current_app.logger.debug( "Key renamed" )
return jsonify( {
"error": False
} )
except:
current_app.logger.error( "Key renaming error" )
return jsonify( {
"error": True
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
@login_view.route( "/webauthn/begin_assertion" )
def webauthn_begin_assertion():
"""
Get the data to start the login process with all actives keys for a user.
"""
current_app.logger.info( "Webauthn start data preparation for user '{}'".format( session[ "username" ] ) )
user_id = session.get( "user_id" )
if "challenge" in session:
del session[ "challenge" ]
challenge = pyotp.random_base32( 64 )
session[ "challenge" ] = challenge
current_app.logger.debug( "Challenge: '{}'".format( challenge ) )
key_list = config.db.query_fetchall( "SELECT * FROM webauthn WHERE user_id = %s AND active = true", ( user_id, ) )
current_app.logger.info( "{} keys active for this user".format( len( key_list ) ) )
credential_id_list = []
for key in key_list:
credential_id_list.append( {
"type": "public-key",
"id": key[ "credential_id" ],
"transports": [ "usb", "nfc", "ble", "internal" ]
} )
current_app.logger.debug( "key '{}' added to the usable keys".format( key[ "credential_id" ] ) )
assertion_dict = {
"challenge": challenge,
"timeout": 60000,
"allowCredentials": credential_id_list,
"rpId": config.RP_ID,
"userVerification": "discouraged"
}
return jsonify( {
"error": False,
"data": assertion_dict
} )
@login_view.route( "/webauthn/verify_assertion", methods = [ "POST" ] )
def webauthn_verify_assertion():
"""
Check the signed challenge provided to the user for the login process.
"""
current_app.logger.info( "Webauthn start assertion verification" )
challenge = session.get( "challenge" )
assertion_response = request.form
credential_id = assertion_response.get( "id" )
current_app.logger.debug( "Used key: '{}'".format( credential_id ) )
user = config.db.query_fetchone( "SELECT * FROM webauthn WHERE credential_id = %s", ( credential_id, ) )
for key in [ "sign_count", "created_on", "last_usage", "usage_counter" ]:
current_app.logger.debug( "key {}: {}".format( key, user[key] ) )
webauthn_user = webauthn.WebAuthnUser(
None, session[ "username" ], None, None,
user[ "credential_id" ], user[ "pub_key" ], user[ "sign_count" ], config.RP_ID
)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
config.ORIGIN,
uv_required = False
)
try:
sign_count = webauthn_assertion_response.verify()
current_app.logger.info( "Webauthn key verified" )
except Exception as e:
current_app.logger.error( "Webauthn assertion failed" )
return jsonify( {
"error": True,
"message": "Assertion failed. Error: {}".format( e )
} )
else:
current_app.logger.debug( "Update key usage in the database" )
dt = datetime.now( pytz.timezone( "Europe/Zurich" ) )
config.db.query( "UPDATE webauthn SET sign_count = %s, last_usage = %s, usage_counter = usage_counter + 1 WHERE credential_id = %s", ( sign_count, dt, credential_id, ) )
config.db.commit()
session[ "need_to_check" ].remove( "securitykey" )
do_login()
return jsonify( {
"error": False
} )
@login_view.route( "/reset_password" )
def password_reset():
"""
Serve the password_reset.html page.
"""
session.clear()
session[ "process" ] = "request_password_reset"
return utils.template.my_render_template( "login/users/password_reset.html" )
@login_view.route( "/do/reset_password", methods = [ "POST" ] )
def do_password_reset():
"""
Start the check of the username for a password reset. The check is done
in a thread to allow a fast "OK" response, even if the username does
not exists. This prevent data extraction (presence or not of a
username).
"""
email = request.form.get( "email", None )
current_app.logger.info( "Start a password reset procedure for '{}'".format( email ) )
Thread( target = do_password_reset_thread, args = ( email, current_app._get_current_object(), ) ).start()
return jsonify( {
"error": False,
"message": "OK"
} )
def do_password_reset_thread( email, localapp ):
"""
Search in the database if the provided email is present, and send the
password reset email if so.
"""
if email == None:
return False
else:
users = config.db.query_fetchall( "SELECT id, username, email FROM users" )
found = []
for user in users:
localapp.logger.debug( "Password reset - Checking '{}' against '{}'".format( email, user[ "username" ] ) )
if not user[ "email" ].startswith( "pbkdf2$" ):
continue
elif utils.hash.pbkdf2( email ).verify( user[ "email" ] ):
user_id = hashlib.sha512( utils.rand.random_data( 100 ) ).hexdigest()
####################################################################
data = {
"process": "password_reset",
"process_id": user_id,
"user_id": user[ "id" ]
}
data = json.dumps( data )
data = base64.b64encode( data )
reset_id = "reset_{}".format( user_id )
config.redis_dbs[ "reset" ].set( reset_id, data, ex = 24 * 3600 )
####################################################################
with localapp.app_context(), localapp.test_request_context():
url = config.domain + url_for( "login.password_reset_stage2", user_id = user_id )
email_content = utils.template.render_jinja_html(
"templates/email", "reset.html",
url = url,
username = user[ "username" ]
)
msg = MIMEText( email_content, "html" )
msg[ "Subject" ] = "ICNML - User password reset"
msg[ "From" ] = config.sender
msg[ "To" ] = email
with utils.mail.mySMTP() as s:
s.sendmail( config.sender, [ email ], msg.as_string() )
found.append( user[ "username" ] )
if len( found ) > 0:
localapp.logger.info( "Password reset - '{}' found against {}".format( email, ", ".join( found ) ) )
else:
localapp.logger.error( "Password reset - '{}' not found".format( email ) )
@login_view.route( "/reset_password_stage2/<user_id>", methods = [ "GET", "POST" ] )
def password_reset_stage2( user_id ):
"""
Serve the reset password, second stage (password edit fields) page,
and set the data in the database if provided.
"""
current_app.logger.info( "Starting password reset stage 2" )
reset_id = "reset_{}".format( user_id )
data = config.redis_dbs[ "reset" ].get( reset_id )
if data != None:
data = base64.b64decode( data )
data = json.loads( data )
password = request.form.get( "password", None )
userid = data.get( "user_id", None )
if password != None:
password = utils.hash.pbkdf2( password, utils.rand.random_data( config.PASSWORD_SALT_LENGTH ), config.PASSWORD_NB_ITERATIONS ).hash()
config.db.query( "UPDATE users SET password = %s WHERE id = %s", ( password, userid ) )
config.db.commit()
views.pianos.do_pianos_update_all_accounts()
current_app.logger.debug( "Password updated for user id '{}'".format( userid ) )
reset_id = "reset_{}".format( user_id )
config.redis_dbs[ "reset" ].delete( reset_id )
return jsonify( {
"error": False,
"password_updated": True
} )
else:
current_app.logger.debug( "Password reset template render" )
return utils.template.my_render_template(
"login/users/password_reset_stage2.html",
user_id = user_id
)
else:
current_app.logger.error( "No reset procedure found for '{}'".format( user_id ) )
return jsonify( {
"error": True,
"message": "Reset procedure not found/expired"
} )
################################################################################
# TOTP reset
@login_view.route( "/reset_totp" )
def totp_reset():
"""
Serve the password_reset.html page.
"""
session.clear()
session[ "process" ] = "request_totp_reset"
return utils.template.my_render_template( "login/users/totp_reset.html" )
@login_view.route( "/do/reset_totp", methods = [ "POST" ] )
def do_totp_reset():
"""
Start the check of the username for a TOTP reset.
The check is done in a thread to allow a fast "OK" response, even if the username
does not exists. This prevent data extraction (presence or not of a username).
"""
email = request.form.get( "email", None )
current_app.logger.info( "Start a TOTP reset procedure for '{}'".format( email ) )
Thread( target = do_totp_reset_thread, args = ( email, current_app._get_current_object(), ) ).start()
return jsonify( {
"error": False,
"message": "OK"
} )
def do_totp_reset_thread( email, localapp ):
"""
Search in the database if the provided email is present, and send the
totp reset email if so.
"""
if email == None:
return False
else:
users = config.db.query_fetchall( "SELECT id, username, email FROM users" )
found = []
for user in users:
localapp.logger.debug( "TOTP reset - Checking '{}' against '{}'".format( email, user[ "username" ] ) )
if not user[ "email" ].startswith( "pbkdf2$" ):
continue
elif utils.hash.pbkdf2( email ).verify( user[ "email" ] ):
user_id = hashlib.sha512( utils.rand.random_data( 100 ) ).hexdigest()
####################################################################
data = {
"process": "totp_reset",
"process_id": user_id,
"user_id": user[ "id" ],
"username": user[ "username" ]
}
data = json.dumps( data )
data = base64.b64encode( data )
reset_id = "reset_{}".format( user_id )
config.redis_dbs[ "reset" ].set( reset_id, data, ex = 24 * 3600 )
####################################################################
with localapp.app_context(), localapp.test_request_context():
url = config.domain + url_for( "login.totp_reset_stage2", user_id = user_id )
email_content = utils.template.render_jinja_html(
"templates/email", "reset.html",
url = url,
username = user[ "username" ]
)
msg = MIMEText( email_content, "html" )
msg[ "Subject" ] = "ICNML - User TOTP reset"
msg[ "From" ] = config.sender
msg[ "To" ] = email
with utils.mail.mySMTP() as s:
s.sendmail( config.sender, [ email ], msg.as_string() )
found.append( user[ "username" ] )
if len( found ) > 0:
localapp.logger.info( "TOTP reset - '{}' found against {}".format( email, ", ".join( found ) ) )
else:
localapp.logger.error( "TOTP reset - '{}' not found".format( email ) )
@login_view.route( "/reset_totp_stage2/<user_id>", methods = [ "GET", "POST" ] )
def totp_reset_stage2( user_id ):
"""
Serve the reset totp, second stage (password edit fields) page, and set
the data in the database if provided.
"""
current_app.logger.info( "Starting TOTP reset stage 2" )
reset_id = "reset_{}".format( user_id )
data = config.redis_dbs[ "reset" ].get( reset_id )
if data != None:
data = base64.b64decode( data )
data = json.loads( data )
totp = request.form.get( "totp", None )
userid = data.get( "user_id", None )
session[ "username" ] = data.get( "username", None )
if totp != None:
config.db.query( "UPDATE users SET totp = %s WHERE id = %s", ( totp, userid ) )
config.db.commit()
current_app.logger.debug( "totp updated for user id '{}'".format( userid ) )
reset_id = "reset_{}".format( user_id )
config.redis_dbs[ "reset" ].delete( reset_id )
return jsonify( {
"error": False,
"totp_updated": True
} )
else:
current_app.logger.debug( "TOTP reset template render" )
return utils.template.my_render_template(
user_id = user_id,
secret = get_secret()
)
else:
current_app.logger.error( "No reset procedure found for '{}'".format( user_id ) )
return jsonify( {
"error": True,
"message": "Reset procedure not found/expired"
} )