From 0e1751eb57a5add94acca6564c3d36100820986c Mon Sep 17 00:00:00 2001
From: Hugh Rundle <hugh@hughrundle.net>
Date: Sun, 11 Sep 2022 16:38:15 +1000
Subject: [PATCH] prep for 2fa login check

- new 2fa checker page to be inserted between initial login and completion of login
- new views and forms for above
---
 bookwyrm/forms/edit_user.py                   |  15 ++-
 bookwyrm/templates/preferences/2fa.html       |   2 +-
 bookwyrm/templates/two_factor_login.html      | 104 ++++++++++++++++++
 bookwyrm/urls.py                              |   5 +
 bookwyrm/views/__init__.py                    |   2 +-
 bookwyrm/views/preferences/two_factor_auth.py |  28 ++++-
 6 files changed, 148 insertions(+), 8 deletions(-)
 create mode 100644 bookwyrm/templates/two_factor_login.html

diff --git a/bookwyrm/forms/edit_user.py b/bookwyrm/forms/edit_user.py
index a7effaf08..51be68a51 100644
--- a/bookwyrm/forms/edit_user.py
+++ b/bookwyrm/forms/edit_user.py
@@ -123,6 +123,7 @@ class ConfirmPasswordForm(CustomForm):
 class Confirm2FAForm(CustomForm):
     otp = forms.CharField(max_length=6, min_length=6, widget=forms.TextInput)
 
+    # IDK if we need this?
     class Meta:
         model = models.User
         fields = ["otp_secret"]
@@ -133,4 +134,16 @@ class Confirm2FAForm(CustomForm):
         totp = pyotp.TOTP(self.instance.otp_secret)
 
         if not totp.verify(otp):
-            self.add_error("otp", _("Code does not match"))
+            # maybe it's a backup code?
+            hotp = pyotp.HOTP(self.instance.otp_secret)
+            hotp_count = (
+                self.instance.hotp_count if self.instance.hotp_count is not None else 0
+            )
+
+            if not hotp.verify(otp, hotp_count):
+                self.add_error("otp", _("Code does not match"))
+
+            # TODO: backup codes
+            # increment the user hotp_count if it was an HOTP
+            # self.instance.hotp_count = hotp_count + 1
+            # self.instance.save(broadcast=False, update_fields=["hotp_count"])
diff --git a/bookwyrm/templates/preferences/2fa.html b/bookwyrm/templates/preferences/2fa.html
index 798716ac4..e5e9684ce 100644
--- a/bookwyrm/templates/preferences/2fa.html
+++ b/bookwyrm/templates/preferences/2fa.html
@@ -29,7 +29,7 @@
                 {{ qrcode | safe }}
             </svg>
         </div>
-        <div class="field ">
+        <div class="field">
             <label class="label" for="id_otp">{% trans "Enter the code from your authenticator app:" %}</label>
             {{ form.otp }}
             {% include 'snippets/form_errors.html' with errors_list=form.current_password.errors id="desc_current_password" %}
diff --git a/bookwyrm/templates/two_factor_login.html b/bookwyrm/templates/two_factor_login.html
new file mode 100644
index 000000000..7d31a714b
--- /dev/null
+++ b/bookwyrm/templates/two_factor_login.html
@@ -0,0 +1,104 @@
+{% load layout %}
+{% load sass_tags %}
+{% load i18n %}
+{% load static %}
+
+<!DOCTYPE html>
+<html lang="{% get_lang %}">
+<head>
+    <title>{% block title %}BookWyrm{% endblock %} - {{ site.name }}</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link href="{% sass_src site_theme %}" rel="stylesheet" type="text/css" />
+</head>
+<body>
+    <nav class="navbar" aria-label="main navigation">
+        <div class="container">
+            <div class="navbar-brand">
+                <a class="navbar-item" href="/">
+                    <img class="image logo" src="{% if site.logo_small %}{% get_media_prefix %}{{ site.logo_small }}{% else %}{% static "images/logo-small.png" %}{% endif %}" alt="{% blocktrans with site_name=site.name %}{{ site_name }} home page{% endblocktrans %}">
+                </a>
+            </div>
+        </div>
+    </nav>
+    <div class="container">
+        <div class="columns is-multiline is-centered">
+            <div class="column">
+                <header class="block">
+                    {% block header %}
+                    <h1 class="title">
+                        {% trans "2FA check" %}
+                    </h1>
+                    {% endblock %}
+                </header>
+                {% if error %}
+                <div class="notification is-danger is-light">
+                    <!-- TODO: how do we translate dynamic errors? -->
+                    <span>
+                        {{ error }}
+                    </span>
+                </div>
+                {% endif %}
+                <div class="is-centered">
+                    <form name="confirm-2fa" action="{% url 'login-with-2fa' %}" method="post" enctype="multipart/form-data">
+                        {% csrf_token %}
+                        <div class="field">
+                            <label class="label" for="id_otp">{% trans "Enter the code from your authenticator app:" %}</label>
+                            {{ form.otp }}
+                            {% include 'snippets/form_errors.html' with errors_list=form.current_password.errors id="desc_current_password" %}
+                        </div>
+                        <button class="button is-primary" type="submit">{% trans "Confirm and Log In" %}</button>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+    <footer class="footer">
+        <div class="container">
+            <div class="columns">
+                <div class="column is-one-fifth">
+                    <p>
+                    <a href="{% url 'about' %}">{% blocktrans with site_name=site.name %}About {{ site_name }}{% endblocktrans %}</a>
+                    </p>
+                    {% if site.admin_email %}
+                    <p>
+                        <a href="mailto:{{ site.admin_email }}">{% trans "Contact site admin" %}</a>
+                    </p>
+                    {% endif %}
+                    <p>
+                        <a href="https://docs.joinbookwyrm.com/">{% trans "Documentation" %}</a>
+                    </p>
+                    {% if request.user.is_authenticated %}
+                    <p id="tour-begin">
+                        <a href="/guided-tour/True">{% trans "Guided Tour" %}</a>
+                        <noscript>(requires JavaScript)</noscript>
+                    </p>
+                    {% endif %}
+                </div>
+                <div class="column content is-two-fifth">
+                    {% if site.support_link %}
+                    <p>
+                        <span class="icon icon-heart"></span>
+                        {% blocktrans trimmed with site_name=site.name support_link=site.support_link support_title=site.support_title %}
+                            Support {{ site_name }} on
+                            <a href="{{ support_link }}" target="_blank" rel="nofollow noopener noreferrer">{{ support_title }}</a>
+                        {% endblocktrans %}
+                    </p>
+                    {% endif %}
+                    <p>
+                    {% blocktrans trimmed %}
+                        BookWyrm's source code is freely available. You can contribute or report issues on
+                        <a href="https://github.com/bookwyrm-social/bookwyrm" target="_blank" rel="nofollow noopener noreferrer">GitHub</a>.
+                    {% endblocktrans %}
+                    </p>
+                </div>
+                {% if site.footer_item %}
+                <div class="column">
+                    <p>{{ site.footer_item|safe }}</p>
+                </div>
+                {% endif %}
+            </div>
+        </div>
+    </footer>
+
+</body>
+</html>
diff --git a/bookwyrm/urls.py b/bookwyrm/urls.py
index 7b6e36cde..4e09cb550 100644
--- a/bookwyrm/urls.py
+++ b/bookwyrm/urls.py
@@ -494,6 +494,11 @@ urlpatterns = [
         views.Disable2FA.as_view(),
         name="disable-2fa",
     ),
+    re_path(
+        r"^login-2FA-check/?$",
+        views.LoginWith2FA.as_view(),
+        name="login-with-2fa",
+    ),
     re_path(r"^preferences/export/?$", views.Export.as_view(), name="prefs-export"),
     re_path(r"^preferences/delete/?$", views.DeleteUser.as_view(), name="prefs-delete"),
     re_path(r"^preferences/block/?$", views.Block.as_view(), name="prefs-block"),
diff --git a/bookwyrm/views/__init__.py b/bookwyrm/views/__init__.py
index 1b9d74181..9c0c7adea 100644
--- a/bookwyrm/views/__init__.py
+++ b/bookwyrm/views/__init__.py
@@ -32,7 +32,7 @@ from .preferences.edit_user import EditUser
 from .preferences.export import Export
 from .preferences.delete_user import DeleteUser
 from .preferences.block import Block, unblock
-from .preferences.two_factor_auth import Edit2FA, Confirm2FA, Disable2FA
+from .preferences.two_factor_auth import Edit2FA, Confirm2FA, Disable2FA, LoginWith2FA
 
 # books
 from .books.books import (
diff --git a/bookwyrm/views/preferences/two_factor_auth.py b/bookwyrm/views/preferences/two_factor_auth.py
index 2441bae97..bbe7628e2 100644
--- a/bookwyrm/views/preferences/two_factor_auth.py
+++ b/bookwyrm/views/preferences/two_factor_auth.py
@@ -1,11 +1,8 @@
 """ class views for 2FA management """
-import base64
-import io
-from pipes import Template
-from turtle import fillcolor
 import pyotp
 import qrcode
 import qrcode.image.svg
+import time
 
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
@@ -13,7 +10,7 @@ from django.template.response import TemplateResponse
 from django.shortcuts import redirect
 from django.utils.decorators import method_decorator
 from django.views import View
-from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
+from django.views.decorators.debug import sensitive_post_parameters
 
 from bookwyrm import forms
 from bookwyrm.settings import DOMAIN
@@ -91,3 +88,24 @@ class Disable2FA(View):
         request.user.save(broadcast=False, update_fields=["two_factor_auth"])
         data = {"form": forms.ConfirmPasswordForm(), "success": True}
         return TemplateResponse(request, "preferences/2fa.html", data)
+
+
+class LoginWith2FA(View):
+    """Check 2FA code matches before allowing login"""
+
+    def get(self, request):
+        """Load 2FA checking page"""
+        form = forms.Confirm2FAForm(request.GET, instance=request.user)
+        return TemplateResponse(request, "two_factor_login.html", {"form": form})
+
+    def post(self, request):
+        """Check 2FA code and allow/disallow login"""
+        form = forms.Confirm2FAForm(request.POST, instance=request.user)
+
+        if not form.is_valid():
+            time.sleep(2)  # make life harder for bots
+            data = {"form": form, "error": "Code does not match, try again"}
+            return TemplateResponse(request, "two_factor_login.html", data)
+
+        # TODO: actually log the user in - we will be bypassing normal login
+        return redirect("/")