Skip to content

Commit

Permalink
fix timeout of non-otp authentication methods (#167)
Browse files Browse the repository at this point in the history
A bug was introduced during code refatoring. Authentication methods that are not using OTP time-limited tokens were (bug) applying time-limits of the authentication code as if they were an OTP code. Fixing that.
  • Loading branch information
edulix authored Jan 4, 2022
1 parent bf92914 commit 4cd06c0
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 12 deletions.
2 changes: 1 addition & 1 deletion authapi/authmethods/m_email.py
Original file line number Diff line number Diff line change
Expand Up @@ -703,7 +703,7 @@ def authenticate(self, auth_event, request):
if not verify_num_successful_logins(user_auth_event, 'Email', user, req):
return self.error("Incorrect data", error_codename="invalid_credentials")

code = get_user_code(user)
code = get_user_code(user, timeout_seconds=None)
if not code:
LOGGER.error(\
"Email.authenticate error\n"\
Expand Down
5 changes: 4 additions & 1 deletion authapi/authmethods/m_email_otp.py
Original file line number Diff line number Diff line change
Expand Up @@ -707,7 +707,10 @@ def authenticate(self, auth_event, request):
if not verify_num_successful_logins(auth_event, 'EmailOtp', user, req):
return self.error("Incorrect data", error_codename="invalid_credentials")

code = get_user_code(user)
code = get_user_code(
user,
timeout_seconds=settings.SMS_OTP_EXPIRE_SECONDS
)
if not code:
LOGGER.error(
"EmailOtp.authenticate error\n"\
Expand Down
2 changes: 1 addition & 1 deletion authapi/authmethods/m_sms.py
Original file line number Diff line number Diff line change
Expand Up @@ -695,7 +695,7 @@ def authenticate(self, auth_event, request):
if not verify_num_successful_logins(auth_event, 'Sms', user, req):
return self.error("Incorrect data", error_codename="invalid_credentials")

code = get_user_code(user)
code = get_user_code(user, timeout_seconds=None)
if not code:
LOGGER.error(\
"Sms.authenticate error\n"\
Expand Down
5 changes: 4 additions & 1 deletion authapi/authmethods/m_sms_otp.py
Original file line number Diff line number Diff line change
Expand Up @@ -697,7 +697,10 @@ def authenticate(self, auth_event, request):
return self.error("Incorrect data", error_codename="invalid_credentials")


code = get_user_code(user)
code = get_user_code(
user,
timeout_seconds=settings.SMS_OTP_EXPIRE_SECONDS
)
if not code:
LOGGER.error(
"SmsOtp.authenticate error\n"\
Expand Down
23 changes: 15 additions & 8 deletions authapi/authmethods/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -878,17 +878,24 @@ def get_trimmed_user(user, ae):

return metadata

def get_user_code(user):
expiration_date = (
timezone.now() - timedelta(seconds=settings.SMS_OTP_EXPIRE_SECONDS)
def get_user_code(user, timeout_seconds=None):
'''
Retrieves from the database the current valid user code for a given user and
optionally a timeout period. The timeout period (timeout_seconds) is
optional and only used if it's not None.
'''
filter_kwargs = dict(
user=user.userdata,
is_enabled=True
)
if timeout_seconds is not None:
filter_kwargs['created__gt'] = (
timezone.now() - timedelta(seconds=timeout_seconds)
)

return Code\
.objects\
.filter(
user=user.userdata,
created__gt=expiration_date,
is_enabled=True
)\
.filter(**filter_kwargs)\
.order_by('-created')\
.first()

Expand Down

0 comments on commit 4cd06c0

Please sign in to comment.