Fix handling of bad input when enabling mfa

This commit is contained in:
Felix Spöttel 2020-09-28 21:04:44 +02:00
parent b80f225691
commit 4dced10a3f
2 changed files with 4 additions and 27 deletions

View file

@ -416,12 +416,12 @@ def totp_post_enable():
token = request.form.get('token') token = request.form.get('token')
label = request.form.get('label') label = request.form.get('label')
if type(token) != str: if type(token) != str:
return json_response({ "error": 'bad_input' }, 400) return ("Bad Input", 400)
try: try:
validate_totp_secret(secret) validate_totp_secret(secret)
enable_mfa(request.user_email, "totp", secret, token, label, env) enable_mfa(request.user_email, "totp", secret, token, label, env)
except ValueError as e: except ValueError as e:
return str(e) return (str(e), 400)
return "OK" return "OK"
@app.route('/mfa/disable', methods=['POST']) @app.route('/mfa/disable', methods=['POST'])

View file

@ -233,31 +233,8 @@ and ensure every administrator account for this control panel does the same.</st
secret: $(el.totpSetupSecret).val(), secret: $(el.totpSetupSecret).val(),
label: $(el.totpSetupLabel).val() label: $(el.totpSetupLabel).val()
}, },
function(res) { function(res) { do_logout(); },
do_logout(); function(res) { render_error(res); }
},
function(res) {
var errorMessage = 'Something went wrong.';
var parsed;
try {
parsed = JSON.parse(res);
} catch (err) {
return render_error(errorMessage);
}
var error = parsed && parsed.error
? parsed.error
: null;
if (error === 'token_mismatch') {
errorMessage = 'Code does not match.';
} else if (error === 'bad_input') {
errorMessage = 'Received request with malformed data.';
}
render_error(errorMessage);
}
); );
return false; return false;