diff --git a/scipost/templates/partials/scipost/personal_page/account.html b/scipost/templates/partials/scipost/personal_page/account.html
index 8f04fd3c4ff35586ca532fc82370e1f8b11bccf5..39af7836ac87e1909d63e586b37bc88a92218460 100644
--- a/scipost/templates/partials/scipost/personal_page/account.html
+++ b/scipost/templates/partials/scipost/personal_page/account.html
@@ -56,18 +56,17 @@
{% endif %}
{% if recommend_totp %}
- {# Scientist fields #}
- {% if 1 %}
- <div class="border border-danger p-2 mb-3">
+ <div class="border border-danger p-2 mb-3">
<h3 class="text-warningx">
<i class="fa fa-exclamation-triangle text-danger"></i>
Please increase your account's security</h3>
- <p class="mb-0">
- We strongly recommend to use two factor authentication that adds an extra layer of protection to your SciPost account.
- </p>
+ <div>
+ Your account grants access to sensitive, confidential information. Therefore we strongly recommend to use two factor authentication that adds an extra layer of protection to your SciPost account.
+
+ <br><br>
+ <a href="{% url 'scipost:totp_create' %}">Set up two factor authentication here</a>.
</div>
- {% endif %}
- {# END: Scientist fields #}
+ </div>
{% endif %}
{% if not contributor.petition_signatories.exists %}
diff --git a/scipost/templates/scipost/totpdevice_form.html b/scipost/templates/scipost/totpdevice_form.html
index 9499e34fd6e22de6067deb25e3f713f70748c2ee..b98cc825da25c4ec947b07f75ac35111b904ffc0 100644
--- a/scipost/templates/scipost/totpdevice_form.html
+++ b/scipost/templates/scipost/totpdevice_form.html
@@ -18,7 +18,12 @@
<h1 class="highlight">Set up two factor authentication device</h1>
<p>
- An authenticator app lets you generate security codes on your phone without needing to receive text messages. If you don’t already have one, we support any of these apps.
+ An authenticator app lets you generate time dependent security codes on your phone. This adds an important layer of security to your SciPost account. If you don’t already have one, please install a mobile authentication app, for example:
+ <ul>
+ <li><a href="http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447" target="_blank">Google Authenticator</a> (Android/iOS)</li>
+ <li><a href="http://guide.duosecurity.com/third-party-accounts" target="_blank">Duo Mobile</a> (Android/iOS)</li>
+ <li><a href="http://aka.ms/dbauthenticator" target="_blank">Authenticator</a> (Windows Phone 7)</li>
+ </ul>
<br>
To configure your authenticator app:
</p>
diff --git a/scipost/templates/scipost/totpdevice_list.html b/scipost/templates/scipost/totpdevice_list.html
index 8481e601424302563489ae38eee1d0c9955b3efc..d7634437342a27d3543f0c514ea9e3b9a808562f 100644
--- a/scipost/templates/scipost/totpdevice_list.html
+++ b/scipost/templates/scipost/totpdevice_list.html
@@ -43,6 +43,15 @@
<a class="text-danger" href="{% url 'scipost:totp_delete' device.id %}">Remove device</a>
</td>
</tr>
+ {% empty %}
+ <tr>
+ <td colspan="3">
+ <div class="py-2">
+ <i class="fa fa-exclamation-triangle text-danger"></i>
+ You are not using two factor authentication yet. We strongly recommend to <a href="{% url 'scipost:totp_create' %}">set up two factor authentication</a>.
+ </div>
+ </td>
+ </tr>
{% endfor %}
</tbody>
</table>
diff --git a/scipost/totp.py b/scipost/totp.py
index 7b6f1cd37c91b9b81a519a36487d39b4276ee9e3..7beecf397af9bee7f5a6088d189fe5e372c2bdb8 100644
--- a/scipost/totp.py
+++ b/scipost/totp.py
@@ -24,9 +24,10 @@ class TOTPVerification:
Verify a time-dependent code for a certain User.
"""
try:
- # Convert the input token to integer
- code = int(code)
- except ValueError:
+ # Try to see if input token is convertable to integer.
+ # Do not actually make it a integer, because it'll loose the leading 0s.
+ assert int(code) > 0
+ except (ValueError, AssertionError):
# return False, if token could not be converted to an integer
return False
else:
@@ -58,9 +59,10 @@ class TOTPVerification:
Independently verify a secret_key/code combination at current time.
"""
try:
- # Convert the input token to integer
- code = int(code)
- except ValueError:
+ # Try to see if input token is convertable to integer.
+ # Do not actually make it a integer, because it'll loose the leading 0s.
+ assert int(code) > 0
+ except (ValueError, AssertionError):
# return False, if token could not be converted to an integer
return False
time_int = int(time())
diff --git a/scipost/views.py b/scipost/views.py
index 091e1a41648db28bef730b53e29ab138c7130856..72400cedb28c51630ae0d15187b9a4502b7ea7e0 100644
--- a/scipost/views.py
+++ b/scipost/views.py
@@ -16,6 +16,7 @@ from django.contrib.auth.views import password_reset, password_reset_confirm
from django.contrib.auth.views import (
LoginView, LogoutView, PasswordChangeView,
PasswordResetView, PasswordResetConfirmView)
+from django.contrib.messages.views import SuccessMessageMixin
from django.core import mail
from django.core.exceptions import PermissionDenied
from django.core.mail import EmailMessage, EmailMultiAlternatives
@@ -890,13 +891,14 @@ class TOTPListView(LoginRequiredMixin, ListView):
return self.request.user.devices.all()
-class TOTPDeviceCreateView(LoginRequiredMixin, CreateView):
+class TOTPDeviceCreateView(LoginRequiredMixin, SuccessMessageMixin, CreateView):
"""
Create a new TOTP device.
"""
form_class = TOTPDeviceForm
template_name = 'scipost/totpdevice_form.html'
success_url = reverse_lazy('scipost:totp')
+ success_message = 'Two factor authentication device %(name)s successfully added.'
def get_form_kwargs(self):
kwargs = super().get_form_kwargs()