diff --git a/CHANGELOG.md b/CHANGELOG.md
index 179ef56..cd0fe16 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,8 @@
# Change Log
+## 2.7.0 (Dev)
+* Fixed #70
+* Add QR Code for trusted device link
+* Better formatting for trusted device start page.
## 2.6.1
* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
Thanks to 'SSE (Secure Systems Engineering)'
diff --git a/example/example/urls.py b/example/example/urls.py
index bd0dc4d..91c6937 100644
--- a/example/example/urls.py
+++ b/example/example/urls.py
@@ -16,12 +16,13 @@
from django.contrib import admin
from django.urls import path,re_path,include
from . import views,auth
+from mfa import TrustedDevice
urlpatterns = [
path('admin/', admin.site.urls),
path('mfa/', include('mfa.urls')),
path('auth/login',auth.loginView,name="login"),
path('auth/logout',auth.logoutView,name="logout"),
-
+ path('devices/add/', TrustedDevice.add,name="add_trusted_device"),
re_path('^$',views.home,name='home'),
path('registered/',views.registered,name='registered')
]
diff --git a/mfa/TrustedDevice.py b/mfa/TrustedDevice.py
index 94b2136..a7664fe 100644
--- a/mfa/TrustedDevice.py
+++ b/mfa/TrustedDevice.py
@@ -7,10 +7,11 @@
from .models import *
import user_agents
from django.utils import timezone
+from django.urls import reverse
def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
x=''.join(random.choice(chars) for _ in range(size))
- if not User_Keys.objects.filter(properties__shas="$.key="+x).exists(): return x
+ if not User_Keys.objects.filter(properties__icontains='"key": "%s"'%x).exists(): return x
else: return id_generator(size,chars)
def getUserAgent(request):
@@ -57,12 +58,13 @@ def getCookie(request):
def add(request):
context=csrf(request)
if request.method=="GET":
+ context.update({"username":request.GET.get('u',''),"key":request.GET.get('k','')})
return render(request,"TrustedDevices/Add.html",context)
else:
key=request.POST["key"].replace("-","").replace(" ","").upper()
context["username"] = request.POST["username"]
context["key"] = request.POST["key"]
- trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__has="$.key="+key)
+ trusted_keys=User_Keys.objects.filter(username=request.POST["username"],properties__icontains='"key": "%s"'%key)
cookie=False
if trusted_keys.exists():
tk=trusted_keys[0]
@@ -97,7 +99,7 @@ def start(request):
request.session["td_id"]=td.id
try:
if td==None: td=User_Keys.objects.get(id=request.session["td_id"])
- context={"key":td.properties["key"]}
+ context={"key":td.properties["key"],"url":request.scheme+"://"+request.get_host() + reverse('add_trusted_device')}
except:
del request.session["td_id"]
return start(request)
@@ -124,12 +126,14 @@ def verify(request):
json= jwt.decode(request.COOKIES.get('deviceid'),settings.SECRET_KEY)
if json["username"].lower()== request.session['base_username'].lower():
try:
- uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__has="$.key=" + json["key"])
+ uk = User_Keys.objects.get(username=request.POST["username"].lower(), properties__icontains='"key": "%s"'%json["key"])
if uk.enabled and uk.properties["status"] == "trusted":
uk.last_used=timezone.now()
uk.save()
request.session["mfa"] = {"verified": True, "method": "Trusted Device","id":uk.id}
return True
except:
+ import traceback
+ print(traceback.format_exc())
return False
return False
diff --git a/mfa/templates/TrustedDevices/start.html b/mfa/templates/TrustedDevices/start.html
index dd208b3..54eab2d 100644
--- a/mfa/templates/TrustedDevices/start.html
+++ b/mfa/templates/TrustedDevices/start.html
@@ -1,5 +1,7 @@
{% extends "base.html" %}
+{% load static %}
{% block head %}
+