We use cookies to ensure you get the best experience on our website
탐색 도움말
가입하기 로그인
0ct0pu5
/
desec-stack
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
브렌치: main
브랜치 태그
desec-stack
/
api
/
desecapi
/
models
/
mfa.py

mfa.py 2.4 KB
고유링크 히스토리 Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. from __future__ import annotations
    2. 

  2. 

  3. import base64
    4. 

  4. from functools import cached_property
    5. 

  5. import secrets
    6. 

  6. import uuid
    7. 

  7. 

  8. from django.conf import settings
    9. 

  9. from django.db import models, transaction
    10. 

  10. from django.utils import timezone
    11. 

  11. from pyotp import TOTP, utils as pyotp_utils
    12. 

  12. 

  13. 

  14. class BaseFactor(models.Model):
    15. 

  15.     id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
    16. 

  16.     user = models.ForeignKey("User", on_delete=models.CASCADE)
    17. 

  17.     created = models.DateTimeField(auto_now_add=True)
    18. 

  18.     last_used = models.DateTimeField(null=True, blank=True)
    19. 

  19.     name = models.CharField(blank=True, default="", max_length=64)
    20. 

  20. 

  21.     class Meta:
    22. 

  22.         constraints = [
    23. 

  23.             models.UniqueConstraint(fields=["user", "name"], name="unique_user_name"),
    24. 

  24.         ]
    25. 

  25. 

  26.     @transaction.atomic()
    27. 

  27.     def delete(self):
    28. 

  28.         if self.last_used is not None:
    29. 

  29.             self.user.save(credentials_changed=True)
    30. 

  30.         return super().delete()
    31. 

  31. 

  32.     @transaction.atomic()
    33. 

  33.     def save(self, *args, **kwargs):
    34. 

  34.         if not self.user.mfa_enabled:  # enabling MFA
    35. 

  35.             self.user.save(credentials_changed=True)
    36. 

  36.         return super().save(*args, **kwargs)
    37. 

  37. 

  38. 

  39. class TOTPFactor(BaseFactor):
    40. 

  40.     @staticmethod
    41. 

  41.     def _secret_default():
    42. 

  42.         return secrets.token_bytes(32)
    43. 

  43. 

  44.     secret = models.BinaryField(max_length=32, default=_secret_default.__func__)
    45. 

  45.     last_verified_timestep = models.PositiveIntegerField(default=0)
    46. 

  46. 

  47.     @cached_property
    48. 

  48.     def _totp(self):
    49. 

  49.         # TODO switch to self.secret once https://github.com/pyauth/pyotp/pull/138 is released
    50. 

  50.         return TOTP(self.base32_secret, digits=6)
    51. 

  51. 

  52.     @property
    53. 

  53.     def base32_secret(self):
    54. 

  54.         return base64.b32encode(self.secret).rstrip(b"=").decode("ascii")
    55. 

  55. 

  56.     @property
    57. 

  57.     def uri(self):
    58. 

  58.         return self._totp.provisioning_uri(
    59. 

  59.             name=self.name,
    60. 

  60.             issuer_name=f"desec.{settings.DESECSTACK_DOMAIN}",
    61. 

  61.         )
    62. 

  62. 

  63.     @transaction.atomic
    64. 

  64.     def verify(self, code):
    65. 

  65.         now = timezone.now()
    66. 

  66.         timestep_now = self._totp.timecode(now)
    67. 

  67. 

  68.         for offset in (-1, 0, 1):
    69. 

  69.             timestep = timestep_now + offset
    70. 

  70.             if not (self.last_verified_timestep < timestep):
    71. 

  71.                 continue
    72. 

  72.             if pyotp_utils.strings_equal(str(code), self._totp.generate_otp(timestep)):
    73. 

  73.                 self.last_used = now
    74. 

  74.                 self.last_verified_timestep = timestep
    75. 

  75.                 self.save()
    76. 

  76.                 return True
    77. 

  77.         return False
    78.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5