Finish TOTP

aaa3b0e9 · Jorran de Wit · f2bdbe38 · aaa3b0e9 · aaa3b0e9 · aaa3b0e9
Commit aaa3b0e9 authored 6 years ago by Jorran de Wit
--- a/scipost/templates/partials/scipost/personal_page/account.html
+++ b/scipost/templates/partials/scipost/personal_page/account.html
@@ -56,18 +56,17 @@
        {% endif %}

        {% if recommend_totp %}
-            {# Scientist fields #}
-                {% if 1 %}
-                <div class="border border-danger p-2 mb-3">
+            <div class="border border-danger p-2 mb-3">
                  <h3 class="text-warningx">
                      <i class="fa fa-exclamation-triangle text-danger"></i>
                      Please increase your account's security</h3>
-                  <p class="mb-0">
-                      We strongly recommend to use two factor authentication that adds an extra layer of protection to your SciPost account.
-                  </p>
+                  <div>
+                      Your account grants access to sensitive, confidential information. Therefore we strongly recommend to use two factor authentication that adds an extra layer of protection to your SciPost account.
+
+                      <br><br>
+                      <a href="{% url 'scipost:totp_create' %}">Set up two factor authentication here</a>.
                  </div>
-                {% endif %}
-            {# END: Scientist fields #}
+              </div>
        {% endif %}

        {% if not contributor.petition_signatories.exists %}

--- a/scipost/templates/scipost/totpdevice_form.html
+++ b/scipost/templates/scipost/totpdevice_form.html
@@ -18,7 +18,12 @@
      <h1 class="highlight">Set up two factor authentication device</h1>

    <p>
-        An authenticator app lets you generate security codes on your phone without needing to receive text messages. If you don’t already have one, we support any of these apps.
+        An authenticator app lets you generate time dependent security codes on your phone. This adds an important layer of security to your SciPost account. If you don’t already have one, please install a mobile authentication app, for example:
+        <ul>
+            <li><a href="http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447" target="_blank">Google Authenticator</a> (Android/iOS)</li>
+            <li><a href="http://guide.duosecurity.com/third-party-accounts" target="_blank">Duo Mobile</a> (Android/iOS)</li>
+            <li><a href="http://aka.ms/dbauthenticator" target="_blank">Authenticator</a> (Windows Phone 7)</li>
+        </ul>
        <br>
        To configure your authenticator app:
    </p>

--- a/scipost/templates/scipost/totpdevice_list.html
+++ b/scipost/templates/scipost/totpdevice_list.html
@@ -43,6 +43,15 @@
                          <a class="text-danger" href="{% url 'scipost:totp_delete' device.id %}">Remove device</a>
                      </td>
                  </tr>
+              {% empty %}
+                  <tr>
+                      <td colspan="3">
+                          <div class="py-2">
+                              <i class="fa fa-exclamation-triangle text-danger"></i>
+                              You are not using two factor authentication yet. We strongly recommend to <a href="{% url 'scipost:totp_create' %}">set up two factor authentication</a>.
+                          </div>
+                      </td>
+                  </tr>
              {% endfor %}
          </tbody>
      </table>

--- a/scipost/totp.py
+++ b/scipost/totp.py
@@ -24,9 +24,10 @@ class TOTPVerification:
        Verify a time-dependent code for a certain User.
        """
        try:
-            # Convert the input token to integer
-            code = int(code)
-        except ValueError:
+            # Try to see if input token is convertable to integer.
+            # Do not actually make it a integer, because it'll loose the leading 0s.
+            assert int(code) > 0
+        except (ValueError, AssertionError):
            # return False, if token could not be converted to an integer
            return False
        else:
@@ -58,9 +59,10 @@ class TOTPVerification:
        Independently verify a secret_key/code combination at current time.
        """
        try:
-            # Convert the input token to integer
-            code = int(code)
-        except ValueError:
+            # Try to see if input token is convertable to integer.
+            # Do not actually make it a integer, because it'll loose the leading 0s.
+            assert int(code) > 0
+        except (ValueError, AssertionError):
            # return False, if token could not be converted to an integer
            return False
        time_int = int(time())

--- a/scipost/views.py
+++ b/scipost/views.py
@@ -16,6 +16,7 @@ from django.contrib.auth.views import password_reset, password_reset_confirm
 from django.contrib.auth.views import (
    LoginView, LogoutView, PasswordChangeView,
    PasswordResetView, PasswordResetConfirmView)
+from django.contrib.messages.views import SuccessMessageMixin
 from django.core import mail
 from django.core.exceptions import PermissionDenied
 from django.core.mail import EmailMessage, EmailMultiAlternatives
@@ -890,13 +891,14 @@ class TOTPListView(LoginRequiredMixin, ListView):
        return self.request.user.devices.all()


-class TOTPDeviceCreateView(LoginRequiredMixin, CreateView):
+class TOTPDeviceCreateView(LoginRequiredMixin, SuccessMessageMixin, CreateView):
    """
    Create a new TOTP device.
    """
    form_class = TOTPDeviceForm
    template_name = 'scipost/totpdevice_form.html'
    success_url = reverse_lazy('scipost:totp')
+    success_message = 'Two factor authentication device %(name)s successfully added.'

    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()