-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Use passlib for totp_secret #94
Conversation
code = str(onetimepass.get_totp(totp_secret)) | ||
session = get_session(response) | ||
|
||
# This shows how dangerous it is to have even an encrypted totp_secret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am unsure of any other way to provide the verification of the second layer. I'm sure there's a way, I just don't know what it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe just store it on the user model and call it from there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was my thought as well - but need to look into it more.
When I go through views (next issue) I'll look into this. I would like to be able to make 2FA per-user - I don't really see any reason that it isn't stored immediately in the user model - but I'll have to trace through a bunch of code...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I don't think pyqrcode is maintained anymore either. The package https://github.com/lincolnloop/python-qrcode looks to be up to date. This is probably another pull though.
I say merge it.
Interesting - the passlib tutorial actually still references pyqrcode.... |
onetimepass seems to be unmaintained - and more importantly totp_secret was being stored in the DB in the clear as well as in the session cookie in the clear. That is a big security hole. passlib has an easy way to encrypt these. Also: - updated docs - make sure that on logout, all two factor session elements are cleared out - Using two-factor now requires a TWO_FACTOR_SECRET as defined by passlib This change requires the setting of TWO_FACTOR_SECRET, and installing the cryptography package. closes: #89
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes look good. Should the encrypt_password funtion be removed entirely and not just from the docs?
The last release was in June 2016. It works for what it's used for. I don't think that the QR codes are necessarily an issue though since they only appear during setup. |
onetimepass seems to be unmaintained - and more importantly totp_secret was being
stored in the DB in the clear as well as in the session cookie in the clear.
That is a big security hole.
passlib has an easy way to encrypt these.
Also:
This change requires the setting of TWO_FACTOR_SECRET, and installing the cryptography
package.
closes: #89