show otp secret

2024-04-05 18:05:27 +03:00 · 2024-04-05 18:05:27 +03:00 · ab632e107d
commit ab632e107d
parent 876d6c1069
5 changed files with 15 additions and 8 deletions
--- a/src/forest/auth/routes.py
+++ b/src/forest/auth/routes.py
@ -1,5 +1,6 @@
 from flask import render_template, redirect, request, url_for, flash, session, abort, current_app
 from flask_login import login_required, login_user, logout_user, current_user
+from markupsafe import Markup, escape

 from . import auth
 from .forms import LoginForm, TwoFAForm, RegistrationForm, ChangePasswordForm, PasswordResetRequestForm, PasswordResetForm
@ -60,7 +61,6 @@ def login():
                session['memberberry'] = form.remember_me.data
                return redirect(url_for('auth.twofactor'))

-            #print('remember: ' + str(form.remember_me.data))
            login_user(user, form.remember_me.data)
            previp = user.last_ip
            if request.headers.getlist("X-Forwarded-For"):
@ -71,7 +71,6 @@ def login():
            db.session.add(user)
            db.session.commit()
            send_email(current_app.config['MAIL_USERNAME'], user.email + ' logged in.', 'auth/email/adm_loginnotify', user=user, ipaddr=lastip )
-            #flash('Last Login: {} from {}'.format(user.last_seen.strftime("%a %d %B %Y %H:%M"), previp))
            flash('Last Login: {}'.format(user.last_seen.strftime("%a %d %B %Y %H:%M")))
            return redirect(request.args.get('next') or url_for('panel.dashboard'))
        else:
@ -126,8 +125,11 @@ def qrcode():
    url = pyqrcode.create(current_user.get_totp_uri())
    stream = BytesIO()
    url.svg(stream, scale=6)
-    return stream.getvalue(), 200, {
-        'Content-Type': 'image/svg+xml',
+    svg_secret = Markup(stream.getvalue().decode('utf-8'))
+    otp_secret = current_user.get_otp_secret()
+    # since this page contains the sensitive qrcode, make sure the browser
+    # does not cache it
+    return render_template('auth/qrcode.html', svg=svg_secret, otp=otp_secret), 200, {
        'Cache-Control': 'no-cache, no-store, must-revalidate',
        'Pragma': 'no-cache',
        'Expires': '0'}
--- a/src/forest/models.py
+++ b/src/forest/models.py
@ -120,6 +120,9 @@ class User(db.Model, UserMixin):
    def get_totp_uri(self):
        return 'otpauth://totp/DataPanel:{0}?secret={1}&issuer=datapanel'.format(self.email, self.otp_secret)

+    def get_otp_secret(self):
+        return self.otp_secret
+
    def verify_totp(self, token):
        return onetimepass.valid_totp(token, self.otp_secret)

--- a/src/forest/templates/auth/already_confirmed.html
+++ b/src/forest/templates/auth/already_confirmed.html
@ -5,12 +5,11 @@

 {% block page_content %}
 <div class="page-header">
-    <h3>Вашият акаунт е вече потвърден.</h3>
    <p>
-        Моля напуснете тази страница :)
+    	Mail is already activated.
    </p>
    <p>
-        <a href="{{ url_for('vmanager.index') }}">Натиснете тук за изход</a>
+        <a href="{{ url_for('vmanager.index') }}">Click here to exit</a>
    </p>
 </div>

--- a/src/forest/templates/auth/qrcode.html
+++ b/src/forest/templates/auth/qrcode.html
@ -0,0 +1,3 @@
+{{ svg }}
+
+{{ otp }}