diff --git a/CHANGELOG.md b/CHANGELOG.md index 179ef56..cd0fe16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ # Change Log +## 2.7.0 (Dev) +* Fixed #70 +* Add QR Code for trusted device link +* Better formatting for trusted device start page. ## 2.6.1 * Fix: CVE-2022-42731: related to the possibility of registration replay attack. Thanks to 'SSE (Secure Systems Engineering)' diff --git a/example/example/urls.py b/example/example/urls.py index bd0dc4d..91c6937 100644 --- a/example/example/urls.py +++ b/example/example/urls.py @@ -16,12 +16,13 @@ from django.contrib import admin from django.urls import path,re_path,include from . import views,auth +from mfa import TrustedDevice urlpatterns = [ path('admin/', admin.site.urls), path('mfa/', include('mfa.urls')), path('auth/login',auth.loginView,name="login"), path('auth/logout',auth.logoutView,name="logout"), - + path('devices/add/', TrustedDevice.add,name="add_trusted_device"), re_path('^$',views.home,name='home'), path('registered/',views.registered,name='registered') ] diff --git a/mfa/TrustedDevice.py b/mfa/TrustedDevice.py index 94b2136..a7664fe 100644 --- a/mfa/TrustedDevice.py +++ b/mfa/TrustedDevice.py @@ -7,10 +7,11 @@ from .models import * import user_agents from django.utils import timezone +from django.urls import reverse def id_generator(size=6, chars=string.ascii_uppercase + string.digits): x=''.join(random.choice(chars) for _ in range(size)) - if not User_Keys.objects.filter(properties__shas="$.key="+x).exists(): return x + if not User_Keys.objects.filter(properties__icontains='"key": "%s"'%x).exists(): return x else: return id_generator(size,chars) def getUserAgent(request): @@ -57,12 +58,13 @@ def getCookie(request): def add(request): context=csrf(request) if request.method=="GET": + context.update({"username":request.GET.get('u',''),"key":request.GET.get('k','')}) return render(request,"TrustedDevices/Add.html",context) else: key=request.POST["key"].replace("-","").replace(" ","").upper() context["username"] = request.POST["username"] context["key"] = request.POST["key"] - trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__has="$.key="+key) + trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__icontains='"key": "%s"'%key) cookie=False if trusted_keys.exists(): tk=trusted_keys[0] @@ -97,7 +99,7 @@ def start(request): request.session["td_id"]=td.id try: if td==None: td=User_Keys.objects.get(id=request.session["td_id"]) - context={"key":td.properties["key"]} + context={"key":td.properties["key"],"url":request.scheme+"://"+request.get_host() + reverse('add_trusted_device')} except: del request.session["td_id"] return start(request) @@ -124,12 +126,14 @@ def verify(request): json= jwt.decode(request.COOKIES.get('deviceid'),settings.SECRET_KEY) if json["username"].lower()== request.session['base_username'].lower(): try: - uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__has="$.key=" + json["key"]) + uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__icontains='"key": "%s"'%json["key"]) if uk.enabled and uk.properties["status"] == "trusted": uk.last_used=timezone.now() uk.save() request.session["mfa"] = {"verified": True, "method": "Trusted Device","id":uk.id} return True except: + import traceback + print(traceback.format_exc()) return False return False diff --git a/mfa/templates/TrustedDevices/start.html b/mfa/templates/TrustedDevices/start.html index dd208b3..54eab2d 100644 --- a/mfa/templates/TrustedDevices/start.html +++ b/mfa/templates/TrustedDevices/start.html @@ -1,5 +1,7 @@ {% extends "base.html" %} +{% load static %} {% block head %} +