show otp secret

src/forest/auth/routes.py

@@ -1,5 +1,6 @@
 from flask import render_template, redirect, request, url_for, flash, session, abort, current_app
 from flask_login import login_required, login_user, logout_user, current_user
+from markupsafe import Markup, escape
 
 from . import auth
 from .forms import LoginForm, TwoFAForm, RegistrationForm, ChangePasswordForm, PasswordResetRequestForm, PasswordResetForm
@@ -60,7 +61,6 @@ def login():
                 session['memberberry'] = form.remember_me.data
                 return redirect(url_for('auth.twofactor'))
 
-            #print('remember: ' + str(form.remember_me.data))
             login_user(user, form.remember_me.data)
             previp = user.last_ip
             if request.headers.getlist("X-Forwarded-For"):
@@ -71,7 +71,6 @@ def login():
             db.session.add(user)
             db.session.commit()
             send_email(current_app.config['MAIL_USERNAME'], user.email + ' logged in.', 'auth/email/adm_loginnotify', user=user, ipaddr=lastip )
-            #flash('Last Login: {} from {}'.format(user.last_seen.strftime("%a %d %B %Y %H:%M"), previp))
             flash('Last Login: {}'.format(user.last_seen.strftime("%a %d %B %Y %H:%M")))
             return redirect(request.args.get('next') or url_for('panel.dashboard'))
         else:
@@ -126,8 +125,11 @@ def qrcode():
     url = pyqrcode.create(current_user.get_totp_uri())
     stream = BytesIO()
     url.svg(stream, scale=6)
-    return stream.getvalue(), 200, {
+    svg_secret = Markup(stream.getvalue().decode('utf-8'))
-        'Content-Type': 'image/svg+xml',
+    otp_secret = current_user.get_otp_secret()
+    # since this page contains the sensitive qrcode, make sure the browser
+    # does not cache it
+    return render_template('auth/qrcode.html', svg=svg_secret, otp=otp_secret), 200, {
         'Cache-Control': 'no-cache, no-store, must-revalidate',
         'Pragma': 'no-cache',
         'Expires': '0'}

src/forest/models.py

@@ -120,6 +120,9 @@ class User(db.Model, UserMixin):
     def get_totp_uri(self):
         return 'otpauth://totp/DataPanel:{0}?secret={1}&issuer=datapanel'.format(self.email, self.otp_secret)
 
+    def get_otp_secret(self):
+        return self.otp_secret
+
     def verify_totp(self, token):
         return onetimepass.valid_totp(token, self.otp_secret)
 

src/forest/templates/auth/already_confirmed.html

@@ -5,12 +5,11 @@
 
 {% block page_content %}
 <div class="page-header">
-    <h3>Вашият акаунт е вече потвърден.</h3>
     <p>
-        Моля напуснете тази страница :)
+    	Mail is already activated.
     </p>
     <p>
-        <a href="{{ url_for('vmanager.index') }}">Натиснете тук за изход</a>
+        <a href="{{ url_for('vmanager.index') }}">Click here to exit</a>
     </p>
 </div>
 

src/forest/templates/auth/qrcode.html

@@ -0,0 +1,3 @@
+{{ svg }}
+
+{{ otp }}