We use cookies to ensure you get the best experience on our website
صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
0ct0pu5
/
desec-stack
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: main
شاخه‌ها تگ‌ها
desec-stack
/
api
/
desecapi
/
models
/
mfa.py

mfa.py 2.4 KB
لینک دائمی تاريخچه خام

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. from __future__ import annotations
    2. 

  2. 

  3. import base64
    4. 

  4. from functools import cached_property
    5. 

  5. import secrets
    6. 

  6. import uuid
    7. 

  7. 

  8. from django.conf import settings
    9. 

  9. from django.db import models, transaction
    10. 

  10. from django.utils import timezone
    11. 

  11. from pyotp import TOTP, utils as pyotp_utils
    12. 

  12. 

  13. 

  14. class BaseFactor(models.Model):
    15. 

  15.     id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
    16. 

  16.     user = models.ForeignKey("User", on_delete=models.CASCADE)
    17. 

  17.     created = models.DateTimeField(auto_now_add=True)
    18. 

  18.     last_used = models.DateTimeField(null=True, blank=True)
    19. 

  19.     name = models.CharField(blank=True, default="", max_length=64)
    20. 

  20. 

  21.     class Meta:
    22. 

  22.         constraints = [
    23. 

  23.             models.UniqueConstraint(fields=["user", "name"], name="unique_user_name"),
    24. 

  24.         ]
    25. 

  25. 

  26.     @transaction.atomic()
    27. 

  27.     def delete(self):
    28. 

  28.         if self.last_used is not None:
    29. 

  29.             self.user.save(credentials_changed=True)
    30. 

  30.         return super().delete()
    31. 

  31. 

  32.     @transaction.atomic()
    33. 

  33.     def save(self, *args, **kwargs):
    34. 

  34.         if not self.user.mfa_enabled:  # enabling MFA
    35. 

  35.             self.user.save(credentials_changed=True)
    36. 

  36.         return super().save(*args, **kwargs)
    37. 

  37. 

  38. 

  39. class TOTPFactor(BaseFactor):
    40. 

  40.     @staticmethod
    41. 

  41.     def _secret_default():
    42. 

  42.         return secrets.token_bytes(32)
    43. 

  43. 

  44.     secret = models.BinaryField(max_length=32, default=_secret_default.__func__)
    45. 

  45.     last_verified_timestep = models.PositiveIntegerField(default=0)
    46. 

  46. 

  47.     @cached_property
    48. 

  48.     def _totp(self):
    49. 

  49.         # TODO switch to self.secret once https://github.com/pyauth/pyotp/pull/138 is released
    50. 

  50.         return TOTP(self.base32_secret, digits=6)
    51. 

  51. 

  52.     @property
    53. 

  53.     def base32_secret(self):
    54. 

  54.         return base64.b32encode(self.secret).rstrip(b"=").decode("ascii")
    55. 

  55. 

  56.     @property
    57. 

  57.     def uri(self):
    58. 

  58.         return self._totp.provisioning_uri(
    59. 

  59.             name=self.name,
    60. 

  60.             issuer_name=f"desec.{settings.DESECSTACK_DOMAIN}",
    61. 

  61.         )
    62. 

  62. 

  63.     @transaction.atomic
    64. 

  64.     def verify(self, code):
    65. 

  65.         now = timezone.now()
    66. 

  66.         timestep_now = self._totp.timecode(now)
    67. 

  67. 

  68.         for offset in (-1, 0, 1):
    69. 

  69.             timestep = timestep_now + offset
    70. 

  70.             if not (self.last_verified_timestep < timestep):
    71. 

  71.                 continue
    72. 

  72.             if pyotp_utils.strings_equal(str(code), self._totp.generate_otp(timestep)):
    73. 

  73.                 self.last_used = now
    74. 

  74.                 self.last_verified_timestep = timestep
    75. 

  75.                 self.save()
    76. 

  76.                 return True
    77. 

  77.         return False
    78.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5