Mark LDAP authentication as external_auth. Fix OTP secret update. #237

This commit is contained in:
Khanh Ngo 2018-04-10 08:59:28 +07:00
parent fdf849744b
commit 84d4bfaed0
2 changed files with 59 additions and 34 deletions

View File

@ -135,6 +135,9 @@ class User(db.Model):
def get_hashed_password(self, plain_text_password=None): def get_hashed_password(self, plain_text_password=None):
# Hash a password for the first time # Hash a password for the first time
# (Using bcrypt, the salt is saved into the hash itself) # (Using bcrypt, the salt is saved into the hash itself)
if plain_text_password == None:
return plain_text_password
pw = plain_text_password if plain_text_password else self.plain_text_password pw = plain_text_password if plain_text_password else self.plain_text_password
return bcrypt.hashpw(pw.encode('utf-8'), bcrypt.gensalt()) return bcrypt.hashpw(pw.encode('utf-8'), bcrypt.gensalt())
@ -315,7 +318,9 @@ class User(db.Model):
self.role_id = Role.query.filter_by(name='Administrator').first().id self.role_id = Role.query.filter_by(name='Administrator').first().id
self.password = self.get_hashed_password(self.plain_text_password) self.password = self.get_hashed_password(self.plain_text_password)
self.password = self.password.decode("utf-8")
if self.password:
self.password = self.password.decode("utf-8")
db.session.add(self) db.session.add(self)
db.session.commit() db.session.commit()
@ -336,7 +341,9 @@ class User(db.Model):
user.password = self.get_hashed_password(self.plain_text_password) if self.plain_text_password else user.password user.password = self.get_hashed_password(self.plain_text_password) if self.plain_text_password else user.password
user.avatar = self.avatar if self.avatar else user.avatar user.avatar = self.avatar if self.avatar else user.avatar
user.otp_secret = "" if enable_otp is not None:
user.otp_secret = ""
if enable_otp == True: if enable_otp == True:
# generate the opt secret key # generate the opt secret key
user.otp_secret = base64.b32encode(os.urandom(10)).decode('utf-8') user.otp_secret = base64.b32encode(os.urandom(10)).decode('utf-8')

View File

@ -312,12 +312,13 @@ def login():
return redirect(url_for('index')) return redirect(url_for('index'))
if request.method == 'GET': if request.method == 'GET':
return render_template('login.html', return render_template('login.html', github_enabled=GITHUB_ENABLE,
github_enabled=GITHUB_ENABLE, google_enabled=GOOGLE_ENABLE,
google_enabled=GOOGLE_ENABLE, saml_enabled=SAML_ENABLED,
saml_enabled=SAML_ENABLED, ldap_enabled=LDAP_ENABLED,
ldap_enabled=LDAP_ENABLED, login_title=LOGIN_TITLE, login_title=LOGIN_TITLE,
basic_enabled=BASIC_ENABLED, signup_enabled=SIGNUP_ENABLED) basic_enabled=BASIC_ENABLED,
signup_enabled=SIGNUP_ENABLED)
# process login # process login
username = request.form['username'] username = request.form['username']
@ -331,6 +332,9 @@ def login():
email = request.form.get('email') email = request.form.get('email')
rpassword = request.form.get('rpassword') rpassword = request.form.get('rpassword')
if auth_method != 'LOCAL':
session['external_auth'] = True
if None in [firstname, lastname, email]: if None in [firstname, lastname, email]:
#login case #login case
remember_me = False remember_me = False
@ -342,37 +346,46 @@ def login():
try: try:
auth = user.is_validate(method=auth_method) auth = user.is_validate(method=auth_method)
if auth == False: if auth == False:
return render_template('login.html', error='Invalid credentials', ldap_enabled=LDAP_ENABLED, return render_template('login.html', error='Invalid credentials',
login_title=LOGIN_TITLE, github_enabled=GITHUB_ENABLE,
basic_enabled=BASIC_ENABLED, google_enabled=GOOGLE_ENABLE,
signup_enabled=SIGNUP_ENABLED, saml_enabled=SAML_ENABLED,
github_enabled=GITHUB_ENABLE, ldap_enabled=LDAP_ENABLED,
saml_enabled=SAML_ENABLED) login_title=LOGIN_TITLE,
basic_enabled=BASIC_ENABLED,
signup_enabled=SIGNUP_ENABLED)
except Exception as e: except Exception as e:
return render_template('login.html', error=e, ldap_enabled=LDAP_ENABLED, login_title=LOGIN_TITLE, return render_template('login.html', error=e,
basic_enabled=BASIC_ENABLED, github_enabled=GITHUB_ENABLE,
signup_enabled=SIGNUP_ENABLED, google_enabled=GOOGLE_ENABLE,
github_enabled=GITHUB_ENABLE, saml_enabled=SAML_ENABLED,
saml_enabled=SAML_ENABLED) ldap_enabled=LDAP_ENABLED,
login_title=LOGIN_TITLE,
basic_enabled=BASIC_ENABLED,
signup_enabled=SIGNUP_ENABLED)
# check if user enabled OPT authentication # check if user enabled OPT authentication
if user.otp_secret: if user.otp_secret:
if otp_token: if otp_token:
good_token = user.verify_totp(otp_token) good_token = user.verify_totp(otp_token)
if not good_token: if not good_token:
return render_template('login.html', error='Invalid credentials', ldap_enabled=LDAP_ENABLED, return render_template('login.html', error='Invalid credentials',
login_title=LOGIN_TITLE, github_enabled=GITHUB_ENABLE,
basic_enabled=BASIC_ENABLED, google_enabled=GOOGLE_ENABLE,
signup_enabled=SIGNUP_ENABLED, saml_enabled=SAML_ENABLED,
github_enabled=GITHUB_ENABLE, ldap_enabled=LDAP_ENABLED,
saml_enabled=SAML_ENABLED) login_title=LOGIN_TITLE,
basic_enabled=BASIC_ENABLED,
signup_enabled=SIGNUP_ENABLED)
else: else:
return render_template('login.html', error='Token required', ldap_enabled=LDAP_ENABLED, return render_template('login.html', error='Token required',
login_title=LOGIN_TITLE, github_enabled=GITHUB_ENABLE,
basic_enabled=BASIC_ENABLED, google_enabled=GOOGLE_ENABLE,
signup_enabled=SIGNUP_ENABLED, saml_enabled=SAML_ENABLED,
github_enabled = GITHUB_ENABLE, ldap_enabled=LDAP_ENABLED,
saml_enabled = SAML_ENABLED) login_title=LOGIN_TITLE,
basic_enabled=BASIC_ENABLED,
signup_enabled=SIGNUP_ENABLED)
login_user(user, remember = remember_me) login_user(user, remember = remember_me)
return redirect(request.args.get('next') or url_for('index')) return redirect(request.args.get('next') or url_for('index'))
@ -389,9 +402,14 @@ def login():
try: try:
result = user.create_local_user() result = user.create_local_user()
if result == True: if result == True:
return render_template('login.html', username=username, password=password, ldap_enabled=LDAP_ENABLED, return render_template('login.html', username=username, password=password,
login_title=LOGIN_TITLE, basic_enabled=BASIC_ENABLED, signup_enabled=SIGNUP_ENABLED, github_enabled=GITHUB_ENABLE,
github_enabled=GITHUB_ENABLE,saml_enabled=SAML_ENABLED) google_enabled=GOOGLE_ENABLE,
saml_enabled=SAML_ENABLED,
ldap_enabled=LDAP_ENABLED,
login_title=LOGIN_TITLE,
basic_enabled=BASIC_ENABLED,
signup_enabled=SIGNUP_ENABLED)
else: else:
return render_template('register.html', error=result['msg']) return render_template('register.html', error=result['msg'])
except Exception as e: except Exception as e: