add admin 2fa

TJCSec · May 5, 2016 · bf39f52 · bf39f52
1 parent 8177ce0
commit bf39f52
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 3 deletions.
diff --git a/ctftool b/ctftool
@@ -57,8 +57,9 @@ elif operation == "add-admin":
     username = input("Username: ")
     password = getpass.getpass().encode()
     pwhash = utils.admin.create_password(password)
-    AdminUser.create(username=username, password=pwhash)
-    print("AdminUser created")
+    secret = "".join([random.choice("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567") for i in range(16)])
+    AdminUser.create(username=username, password=pwhash, secret=secret)
+    print("AdminUser created, totp key is {}".format(secret))
 
 elif operation == "scan":
     path = sys.argv[2]

diff --git a/modules/admin.py b/modules/admin.py
@@ -24,6 +24,7 @@ def admin_login():
     elif request.method == "POST":
         username = request.form["username"]
         password = request.form["password"]
+        two = request.form["two"]
         if getattr(secret, "admin_username", False):
             if username == secret.admin_username and password == secret.admin_password:
                 session["admin"] = username
@@ -32,12 +33,13 @@ def admin_login():
             try:
                 user = AdminUser.get(AdminUser.username == username)
                 result = utils.admin.verify_password(user, password)
+                result = result and utils.admin.verify_otp(user, two)
                 if result:
                     session["admin"] = user.username
                     return redirect(url_for(".admin_dashboard"))
             except AdminUser.DoesNotExist:
                 pass
-        flash("Invalid username or password.")
+        flash("Y̸̤̗͍̘ͅo͙̠͈͎͎͙̟u̺ ̘̘̘̹̩̹h͔̟̟̗͠a̠͈v͍̻̮̗̬̬̣e̟̫̼̹̠͕ ̠̳͖͡ma͈̱͟d̙͍̀ͅe̵͕̙̯̟̟̞̳ ͉͚̙a̡̱̮̫̰̰ ̜̙̝̭͚t̜̙͚̗͇ͅͅe͉r҉r̸͎̝̞̙̦̹i͏̙b̶̜̟̭͕l̗̰̰̠̳̝̕e͎̥ ̸m̰̯̮̲̘̻͍̀is̜̲̮͍͔̘͕͟t̟͈̮a̙̤͎̠ķ̝̺͇̩e̷͍̤̠͖̣͈.̺̩̦̻.")
         return render_template("admin/login.html")
 
 @admin.route("/dashboard/")

diff --git a/requirements.txt b/requirements.txt
@@ -4,3 +4,4 @@ flask
 bcrypt
 redis
 pyyaml
+oath
diff --git a/templates/admin/login.html b/templates/admin/login.html
@@ -11,6 +11,10 @@ <h2>Login</h2>
         <input id="password" name="password" type="password" />
         <label for="password">Password</label>
     </div>
+    <div class="input-field">
+        <input id="two" name="two" type="text" />
+        <label for="two">2FA</label>
+    </div>
     <input name="_csrf_token" type="hidden" value="{{ csrf_token() }}" />
     <button class="btn waves-effect waves-light" type="submit">Login</button>
 </form>

diff --git a/utils/admin.py b/utils/admin.py
@@ -1,6 +1,10 @@
 import bcrypt
+import oath
 def create_password(pw):
     return bcrypt.hashpw(pw, bcrypt.gensalt())
 
 def verify_password(user, pw):
     return bcrypt.hashpw(pw.encode(), user.password.encode()) == user.password.encode()
+
+def verify_otp(user, otp):
+    return oath.from_b32key(user.secret).accept(otp)