In [None]:
#install this dependedncy
#pip install bcrypt pyotp qrcode


import os
import time
import hmac
import hashlib
import bcrypt
import pyotp
import json
import getpass
import qrcode
from io import StringIO

class SecureAuthSystem:
    def __init__(self, db_file="users.json"):
        self.db_file = db_file
        self.users = self._load_users()
        self.session_token = None
        self.current_user = None
        # Normally, this would be a secure environment variable
        """
        Rule 1 of cybersecurity: Humans are stupid, you are a vulnerability
        The usage of the environment variable isn't inherently safe from any implicit 
        technical reasonings, but environment variables act as a temporary area of reference so that you - the user - 
        do not accidentally commit your secret keys to a public repository.
        it's just a way to allow them to save credentials on their machine without committing by accident.
        
        """
        self.secret_key = "THIS_WOULD_BE_A_SECURE_ENVIRONMENT_VARIABLE"
    
    def _load_users(self):
        if os.path.exists(self.db_file):
            try:
                with open(self.db_file, 'r') as f:
                    return json.load(f)
            except:
                return {}
        return {}
    
    def _save_users(self):
        with open(self.db_file, 'w') as f:
            json.dump(self.users, f, indent=2)
    
    def register_user(self, username, password):
        if username in self.users:
            print("User already exists!")
            return False
        
        # Hash the password
        salt = bcrypt.gensalt()
        hashed_pw = bcrypt.hashpw(password.encode(), salt)
        
        # Generate TOTP secret
        totp_secret = pyotp.random_base32()
        
        # Store user data
        self.users[username] = {
            "password": hashed_pw.decode(),
            "totp_secret": totp_secret,
            "totp_verified": False,
            "login_attempts": 0,
            "last_login": None,
            "created_at": time.time()
        }
        
        self._save_users()
        
        # Generate QR code for TOTP setup
        totp_uri = pyotp.totp.TOTP(totp_secret).provisioning_uri(
            name=username,
            issuer_name="Secure Auth Workshop"
        )
        
        print("\nUser registered successfully!")
        print("\n--- IMPORTANT: TOTP SETUP ---")
        print("Scan this QR code with your authenticator app (Google Authenticator, Authy, etc.)")
        print("Or manually enter this secret key:", totp_secret)
        
        # Generate ASCII QR code
        qr = qrcode.QRCode()
        qr.add_data(totp_uri)
        qr.make(fit=True)
        
        f = StringIO()
        qr.print_ascii(out=f)
        f.seek(0)
        print(f.read())
        
        return True
    
    def login_step1(self, username, password):
        """First authentication factor: username/password"""
        if username not in self.users:
            print("Invalid username or password")
            return False
        
        user = self.users[username]
        
        # Check for too many failed attempts
        if user.get("login_attempts", 0) >= 5:
            last_attempt = user.get("last_attempt_time", 0)
            if time.time() - last_attempt < 300:  # 5 minute lockout
                print("Account temporarily locked due to too many failed attempts.")
                print(f"Try again in {int(300 - (time.time() - last_attempt))} seconds")
                return False
            else:
                # Reset counter after lockout period
                user["login_attempts"] = 0
        
        # Verify password
        if bcrypt.checkpw(password.encode(), user["password"].encode()):
            # Password correct, proceed to 2FA
            self.current_user = username
            return True
        else:
            # Password incorrect, increment attempt counter
            user["login_attempts"] = user.get("login_attempts", 0) + 1
            user["last_attempt_time"] = time.time()
            self._save_users()
            print("Invalid username or password")
            return False
    
    def login_step2(self, totp_code):
        """Second authentication factor: TOTP"""
        if not self.current_user:
            print("Must complete first authentication step")
            return False
        
        user = self.users[self.current_user]
        totp = pyotp.TOTP(user["totp_secret"])
        
        if totp.verify(totp_code):
            # TOTP verified, create session
            user["totp_verified"] = True
            user["login_attempts"] = 0
            user["last_login"] = time.time()
            self._save_users()
            
            # Generate session token
            self.session_token = self._generate_token()
            
            print(f"Successfully logged in as {self.current_user}")
            return True
        else:
            print("Invalid verification code")
            return False
    
    def _generate_token(self):
        """Generate secure session token"""
        expiry_time = int(time.time()) + 3600  # 1 hour expiry
        token_data = f"{self.current_user}:{expiry_time}"
        signature = hmac.new(
            self.secret_key.encode(),
            token_data.encode(),
            hashlib.sha256
        ).hexdigest()
        return f"{token_data}:{signature}"
    
    def verify_session(self):
        """Verify current session is valid"""
        if not self.session_token:
            return False
        
        try:
            parts = self.session_token.split(":")
            username = parts[0]
            expiry_time = int(parts[1])
            signature = parts[2]
            
            # Check expiration
            if time.time() > expiry_time:
                print("Session expired, please login again")
                self.logout()
                return False
            
            # Verify signature
            token_data = f"{username}:{expiry_time}"
            expected_signature = hmac.new(
                self.secret_key.encode(),
                token_data.encode(),
                hashlib.sha256
            ).hexdigest()
            
            if hmac.compare_digest(expected_signature, signature):
                return True
            
            print("Invalid session, please login again")
            self.logout()
            return False
        except:
            print("Session error, please login again")
            self.logout()
            return False
    
    def logout(self):
        """End user session"""
        self.session_token = None
        self.current_user = None
        print("Logged out successfully")
    
    def change_password(self, current_password, new_password):
        """Change user password with verification"""
        if not self.verify_session():
            return False
        
        user = self.users[self.current_user]
        
        # Verify current password
        if not bcrypt.checkpw(current_password.encode(), user["password"].encode()):
            print("Current password is incorrect")
            return False
        
        # Check password strength
        if len(new_password) < 8:
            print("Password must be at least 8 characters")
            return False
        
        # Update password
        salt = bcrypt.gensalt()
        hashed_pw = bcrypt.hashpw(new_password.encode(), salt)
        user["password"] = hashed_pw.decode()
        self._save_users()
        
        print("Password changed successfully")
        return True
    
    def reset_totp(self):
        """Reset TOTP for current user"""
        if not self.verify_session():
            return False
        
        user = self.users[self.current_user]
        
        # Generate new TOTP secret
        totp_secret = pyotp.random_base32()
        user["totp_secret"] = totp_secret
        user["totp_verified"] = False
        self._save_users()
        
        # Generate QR code for TOTP setup
        totp_uri = pyotp.totp.TOTP(totp_secret).provisioning_uri(
            name=self.current_user,
            issuer_name="Secure Auth Workshop"
        )
        
        print("\nTOTP reset successfully!")
        print("\n--- IMPORTANT: NEW TOTP SETUP ---")
        print("Scan this QR code with your authenticator app")
        print("Or manually enter this secret key:", totp_secret)
        
        # Generate ASCII QR code
        qr = qrcode.QRCode()
        qr.add_data(totp_uri)
        qr.make(fit=True)
        
        f = StringIO()
        qr.print_ascii(out=f)
        f.seek(0)
        print(f.read())
        
        return True


def main_menu():
    auth_system = SecureAuthSystem()
    
    while True:
        print("\n=== Secure Authentication System ===")
        print("1. Register")
        print("2. Login")
        print("3. Exit")
        
        choice = input("Select an option: ")
        
        if choice == "1":
            username = input("Enter username: ")
            password = getpass.getpass("Enter password: ")
            confirm_pw = getpass.getpass("Confirm password: ")
            
            if password != confirm_pw:
                print("Passwords don't match!")
                continue
            
            auth_system.register_user(username, password)
        
        elif choice == "2":
            username = input("Enter username: ")
            password = getpass.getpass("Enter password: ")
            
            if auth_system.login_step1(username, password):
                totp_code = input("Enter verification code from your authenticator app: ")
                if auth_system.login_step2(totp_code):
                    user_menu(auth_system)
        
        elif choice == "3":
            print("Goodbye!")
            break
        else:
            print("Invalid option!")


def user_menu(auth_system):
    while auth_system.verify_session():
        print(f"\n=== Welcome {auth_system.current_user} ===")
        print("1. View Account Info")
        print("2. Change Password")
        print("3. Reset TOTP")
        print("4. Logout")
        
        choice = input("Select an option: ")
        
        if choice == "1":
            user = auth_system.users[auth_system.current_user]
            print("\n=== Account Information ===")
            print(f"Username: {auth_system.current_user}")
            print(f"Account Created: {time.ctime(user['created_at'])}")
            if user.get('last_login'):
                print(f"Last Login: {time.ctime(user['last_login'])}")
        
        elif choice == "2":
            current_pw = getpass.getpass("Enter current password: ")
            new_pw = getpass.getpass("Enter new password: ")
            confirm_pw = getpass.getpass("Confirm new password: ")
            
            if new_pw != confirm_pw:
                print("New passwords don't match!")
                continue
            
            auth_system.change_password(current_pw, new_pw)
        
        elif choice == "3":
            confirm = input("Are you sure you want to reset your TOTP? (y/n): ")
            if confirm.lower() == 'y':
                auth_system.reset_totp()
        
        elif choice == "4":
            auth_system.logout()
            break
        else:
            print("Invalid option!")


if __name__ == "__main__":
    print("Starting Secure Authentication System...")
    main_menu()