From aaa3b0e9abb88ce09c66d834561395d78a143406 Mon Sep 17 00:00:00 2001
From: Jorran de Wit <jorrandewit@outlook.com>
Date: Wed, 27 Mar 2019 10:53:59 +0100
Subject: [PATCH] Finish TOTP
---
.../partials/scipost/personal_page/account.html | 15 +++++++--------
scipost/templates/scipost/totpdevice_form.html | 7 ++++++-
scipost/templates/scipost/totpdevice_list.html | 9 +++++++++
scipost/totp.py | 14 ++++++++------
scipost/views.py | 4 +++-
5 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/scipost/templates/partials/scipost/personal_page/account.html b/scipost/templates/partials/scipost/personal_page/account.html
index 8f04fd3c4..39af7836a 100644
--- a/scipost/templates/partials/scipost/personal_page/account.html
+++ b/scipost/templates/partials/scipost/personal_page/account.html
@@ -56,18 +56,17 @@
{% endif %}
{% if recommend_totp %}
- {# Scientist fields #}
- {% if 1 %}
- <div class="border border-danger p-2 mb-3">
+ <div class="border border-danger p-2 mb-3">
<h3 class="text-warningx">
<i class="fa fa-exclamation-triangle text-danger"></i>
Please increase your account's security</h3>
- <p class="mb-0">
- We strongly recommend to use two factor authentication that adds an extra layer of protection to your SciPost account.
- </p>
+ <div>
+ Your account grants access to sensitive, confidential information. Therefore we strongly recommend to use two factor authentication that adds an extra layer of protection to your SciPost account.
+
+ <br><br>
+ <a href="{% url 'scipost:totp_create' %}">Set up two factor authentication here</a>.
</div>
- {% endif %}
- {# END: Scientist fields #}
+ </div>
{% endif %}
{% if not contributor.petition_signatories.exists %}
diff --git a/scipost/templates/scipost/totpdevice_form.html b/scipost/templates/scipost/totpdevice_form.html
index 9499e34fd..b98cc825d 100644
--- a/scipost/templates/scipost/totpdevice_form.html
+++ b/scipost/templates/scipost/totpdevice_form.html
@@ -18,7 +18,12 @@
<h1 class="highlight">Set up two factor authentication device</h1>
<p>
- An authenticator app lets you generate security codes on your phone without needing to receive text messages. If you don’t already have one, we support any of these apps.
+ An authenticator app lets you generate time dependent security codes on your phone. This adds an important layer of security to your SciPost account. If you don’t already have one, please install a mobile authentication app, for example:
+ <ul>
+ <li><a href="http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447" target="_blank">Google Authenticator</a> (Android/iOS)</li>
+ <li><a href="http://guide.duosecurity.com/third-party-accounts" target="_blank">Duo Mobile</a> (Android/iOS)</li>
+ <li><a href="http://aka.ms/dbauthenticator" target="_blank">Authenticator</a> (Windows Phone 7)</li>
+ </ul>
<br>
To configure your authenticator app:
</p>
diff --git a/scipost/templates/scipost/totpdevice_list.html b/scipost/templates/scipost/totpdevice_list.html
index 8481e6014..d76344373 100644
--- a/scipost/templates/scipost/totpdevice_list.html
+++ b/scipost/templates/scipost/totpdevice_list.html
@@ -43,6 +43,15 @@
<a class="text-danger" href="{% url 'scipost:totp_delete' device.id %}">Remove device</a>
</td>
</tr>
+ {% empty %}
+ <tr>
+ <td colspan="3">
+ <div class="py-2">
+ <i class="fa fa-exclamation-triangle text-danger"></i>
+ You are not using two factor authentication yet. We strongly recommend to <a href="{% url 'scipost:totp_create' %}">set up two factor authentication</a>.
+ </div>
+ </td>
+ </tr>
{% endfor %}
</tbody>
</table>
diff --git a/scipost/totp.py b/scipost/totp.py
index 7b6f1cd37..7beecf397 100644
--- a/scipost/totp.py
+++ b/scipost/totp.py
@@ -24,9 +24,10 @@ class TOTPVerification:
Verify a time-dependent code for a certain User.
"""
try:
- # Convert the input token to integer
- code = int(code)
- except ValueError:
+ # Try to see if input token is convertable to integer.
+ # Do not actually make it a integer, because it'll loose the leading 0s.
+ assert int(code) > 0
+ except (ValueError, AssertionError):
# return False, if token could not be converted to an integer
return False
else:
@@ -58,9 +59,10 @@ class TOTPVerification:
Independently verify a secret_key/code combination at current time.
"""
try:
- # Convert the input token to integer
- code = int(code)
- except ValueError:
+ # Try to see if input token is convertable to integer.
+ # Do not actually make it a integer, because it'll loose the leading 0s.
+ assert int(code) > 0
+ except (ValueError, AssertionError):
# return False, if token could not be converted to an integer
return False
time_int = int(time())
diff --git a/scipost/views.py b/scipost/views.py
index 091e1a416..72400cedb 100644
--- a/scipost/views.py
+++ b/scipost/views.py
@@ -16,6 +16,7 @@ from django.contrib.auth.views import password_reset, password_reset_confirm
from django.contrib.auth.views import (
LoginView, LogoutView, PasswordChangeView,
PasswordResetView, PasswordResetConfirmView)
+from django.contrib.messages.views import SuccessMessageMixin
from django.core import mail
from django.core.exceptions import PermissionDenied
from django.core.mail import EmailMessage, EmailMultiAlternatives
@@ -890,13 +891,14 @@ class TOTPListView(LoginRequiredMixin, ListView):
return self.request.user.devices.all()
-class TOTPDeviceCreateView(LoginRequiredMixin, CreateView):
+class TOTPDeviceCreateView(LoginRequiredMixin, SuccessMessageMixin, CreateView):
"""
Create a new TOTP device.
"""
form_class = TOTPDeviceForm
template_name = 'scipost/totpdevice_form.html'
success_url = reverse_lazy('scipost:totp')
+ success_message = 'Two factor authentication device %(name)s successfully added.'
def get_form_kwargs(self):
kwargs = super().get_form_kwargs()
--
GitLab