django-pfx 1.4.dev22__tar.gz → 1.4.dev26__tar.gz

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev22
+Version: 1.4.dev26
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/django_pfx.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev22
+Version: 1.4.dev26
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/django_pfx.egg-info/SOURCES.txt

@@ -72,6 +72,8 @@ pfx/pfxcore/serializers/__init__.py
 pfx/pfxcore/serializers/json.py
 pfx/pfxcore/storage/__init__.py
 pfx/pfxcore/storage/s3_storage.py
+pfx/pfxcore/templates/registration/otp_code_email.txt
+pfx/pfxcore/templates/registration/otp_code_subject.txt
 pfx/pfxcore/templates/registration/password_reset_email.txt
 pfx/pfxcore/templates/registration/password_reset_subject.txt
 pfx/pfxcore/templates/registration/welcome_email.txt

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/default_settings.py

@@ -1,6 +1,7 @@
 PFX_TOKEN_SHORT_VALIDITY = {'hours': 12}
 PFX_TOKEN_LONG_VALIDITY = {'days': 30}
 PFX_TOKEN_OTP_VALIDITY = {'minutes': 15}
+PFX_HOTP_CODE_VALIDITY = 15
 
 PFX_COOKIE_DOMAIN = None
 PFX_COOKIE_SECURE = True

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/locale/fr/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-03-28 11:03+0100\n"
+"POT-Creation-Date: 2024-04-08 13:51+0200\n"
 "PO-Revision-Date: 2021-06-22 23:31+0200\n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -59,14 +59,42 @@ msgstr ""
 "Format non valide, il peut s’agir d’un nombre en heures, « 1:05 », « :05 », "
 "« 1h 5m », « 1.5h » ou « 30m »."
 
-#: models/otp_user_mixin.py:8
+#: models/login_ban.py:45
+msgid "Username"
+msgstr "Nom d’utilisateur"
+
+#: models/login_ban.py:46
+msgid "Failed counter"
+msgstr "Compteur d’échec"
+
+#: models/login_ban.py:47
+msgid "Last failed"
+msgstr "Dernier échec"
+
+#: models/login_ban.py:52
+msgid "Login ban"
+msgstr "Login banni"
+
+#: models/login_ban.py:53
+msgid "Login bans"
+msgstr "Login bannis"
+
+#: models/otp_user_mixin.py:10
 msgid "OTP secret token"
 msgstr "Jeton secret OTP"
 
-#: models/otp_user_mixin.py:11
+#: models/otp_user_mixin.py:13
 msgid "Temporary OTP secret token"
 msgstr "Jeton secret OTP temporaire"
 
+#: models/otp_user_mixin.py:14
+msgid "HOTP count"
+msgstr "Compte HOTP"
+
+#: models/otp_user_mixin.py:15
+msgid "HOTP expiry"
+msgstr "Expiration HOTP"
+
 #: models/pfx_models.py:14
 #, python-format
 msgid "%(model_name)s with this %(field_labels)s already exists."
@@ -92,6 +120,41 @@ msgstr "{key} doit être une date."
 msgid "{key} must be “true”, “false”, “1”, “0” or empty."
 msgstr "{key} doit être « true », « false », « 1 », « 0 » ou vide"
 
+#: templates/registration/otp_code_email.txt:2
+#, python-format
+msgid ""
+"You're receiving this email because you requested an authentication code at "
+"%(site_name)s."
+msgstr ""
+"Vous recevez cet e-mail parce que vous avez demandé un code d’authentication "
+"sur %(site_name)s."
+
+#: templates/registration/otp_code_email.txt:4
+msgid "Authentication code:"
+msgstr "Code d’authentication :"
+
+#: templates/registration/otp_code_email.txt:6
+#, python-format
+msgid "This code is valid for %(otp_validity)s minutes."
+msgstr "Ce code est valable durant %(otp_validity)s minutes."
+
+#: templates/registration/otp_code_email.txt:8
+#: templates/registration/password_reset_email.txt:10
+#: templates/registration/welcome_email.txt:10
+msgid "Thanks for using our site!"
+msgstr "Merci d'utiliser notre site !"
+
+#: templates/registration/otp_code_email.txt:10
+#: templates/registration/password_reset_email.txt:12
+#: templates/registration/welcome_email.txt:12
+#, python-format
+msgid "The %(site_name)s team"
+msgstr "L'équipe de %(site_name)s"
+
+#: templates/registration/otp_code_subject.txt:2
+msgid "New authentication code for %(site_name)s"
+msgstr "Nouveau code d’authentication pour %(site_name)s"
+
 #: templates/registration/password_reset_email.txt:2
 #, python-format
 msgid ""
@@ -113,17 +176,6 @@ msgstr ""
 msgid "Your username, in case you've forgotten:"
 msgstr "Votre nom d'utilisateur, au cas où vous l'auriez oublié :"
 
-#: templates/registration/password_reset_email.txt:10
-#: templates/registration/welcome_email.txt:10
-msgid "Thanks for using our site!"
-msgstr "Merci d'utiliser notre site !"
-
-#: templates/registration/password_reset_email.txt:12
-#: templates/registration/welcome_email.txt:12
-#, python-format
-msgid "The %(site_name)s team"
-msgstr "L'équipe de %(site_name)s"
-
 #: templates/registration/password_reset_subject.txt:2
 #, python-format
 msgid "Password reset on %(site_name)s"
@@ -139,43 +191,52 @@ msgstr "Bienvenue sur %(site_name)s."
 msgid "Welcome on %(site_name)s"
 msgstr "Bienvenue sur %(site_name)s"
 
-#: views/authentication_views.py:221 views/authentication_views.py:378
+#: views/authentication_views.py:82
+#, python-brace-format
+msgid ""
+"Your connection is temporarily disabled after several unsuccessful attempts, "
+"please retry in {seconds} seconds."
+msgstr ""
+"Votre connexion est temporairement désactivée après plusieurs tentatives "
+"infructueuses, veuillez réessayer dans {seconds} secondes."
+
+#: views/authentication_views.py:244 views/authentication_views.py:407
 msgid "password updated successfully"
 msgstr "le mot de passe a été mis à jour avec succès"
 
-#: views/authentication_views.py:226
+#: views/authentication_views.py:249
 msgid "Incorrect password"
 msgstr "Mot de passe incorrect"
 
-#: views/authentication_views.py:229 views/authentication_views.py:387
+#: views/authentication_views.py:252 views/authentication_views.py:416
 msgid "Empty password is not allowed"
 msgstr "Un mot de passe vide n’est pas autorisé"
 
-#: views/authentication_views.py:313
+#: views/authentication_views.py:341
 msgid "User and token are valid"
 msgstr "L'utilisateur et le token sont valides"
 
-#: views/authentication_views.py:315
+#: views/authentication_views.py:343
 msgid "User or token is invalid"
 msgstr "L'utilisateur ou le token est invalide"
 
-#: views/authentication_views.py:420
+#: views/authentication_views.py:449
 msgid "OTP is already activated"
 msgstr "L'OTP est déjà activé"
 
-#: views/authentication_views.py:458
+#: views/authentication_views.py:487
 msgid "OTP is activated"
 msgstr "L'OTP est activé"
 
-#: views/authentication_views.py:459 views/authentication_views.py:493
+#: views/authentication_views.py:488 views/authentication_views.py:522
 msgid "Invalid OTP code"
 msgstr "Code OTP invalide"
 
-#: views/authentication_views.py:492
+#: views/authentication_views.py:521
 msgid "OTP is disabled"
 msgstr "L'OTP est désactivé"
 
-#: views/authentication_views.py:740
+#: views/authentication_views.py:777
 msgid ""
 "If the email address you entered is correct, you will receive an email from "
 "us with instructions to reset your password."
@@ -184,6 +245,10 @@ msgstr ""
 "un courrier électronique de notre part contenant des instructions pour "
 "réinitialiser votre mot de passe."
 
+#: views/authentication_views.py:845
+msgid "A new authentication code has been sent by email."
+msgstr "Un nouveau code d'authentification a été envoyé par e-mail."
+
 #: views/filters_views.py:79
 #, python-brace-format
 msgid "Invalid value for {filter} filter"

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/middleware/authentication.py

@@ -30,13 +30,29 @@ class JWTTokenDecodeMixin:
         return user
 
     @classmethod
-    def decode_jwt(cls, token, otp_login=False):
+    def decode_jwt_header(cls, token):
         try:
             headers = jwt.get_unverified_header(token)
             if 'pfx_user_pk' not in headers:
                 raise jwt.InvalidTokenError(
                     "Missing pfx_user_pk in token headers")
-            user = cls.get_cached_user(headers['pfx_user_pk'])
+            return headers['pfx_user_pk']
+        except (jwt.ExpiredSignatureError,
+                jwt.InvalidTokenError, jwt.InvalidSignatureError,
+                DecodeError) as e:
+            # Log these exceptions only in debug mode
+            logger.debug(e, exc_info=True)
+            raise
+        except Exception as e:
+            # Always logs unexpected exceptions
+            logger.exception(e)
+            raise
+
+    @classmethod
+    def decode_jwt(cls, token, otp_login=False):
+        user_pk = cls.decode_jwt_header(token)
+        try:
+            user = cls.get_cached_user(user_pk)
             decoded = jwt.decode(
                 token,
                 user.get_user_jwt_signature_key() + settings.PFX_SECRET_KEY,
@@ -49,11 +65,12 @@ class JWTTokenDecodeMixin:
                     "This token is reserved for OTP login")
             return user
         except (get_user_model().DoesNotExist, jwt.ExpiredSignatureError,
-                jwt.InvalidTokenError, jwt.InvalidSignatureError) as e:
+                jwt.InvalidTokenError, jwt.InvalidSignatureError,
+                DecodeError) as e:
             # Log these exceptions only in debug mode
             logger.debug(e, exc_info=True)
             raise
-        except (DecodeError, Exception) as e:
+        except Exception as e:
             # Always logs unexpected exceptions
             logger.exception(e)
             raise
@@ -72,11 +89,11 @@ class AuthenticationMiddleware(JWTTokenDecodeMixin, MiddlewareMixin):
         authorization = request.headers.get('Authorization')
         if authorization:
             try:
-                _, key = authorization.split("Bearer ")
+                _, token = authorization.split("Bearer ")
             except ValueError:
-                key = None
+                token = ""
             try:
-                request.user = self.decode_jwt(key)
+                request.user = self.decode_jwt(token)
             except Exception:
                 request.user = AnonymousUser()
         else:
@@ -102,10 +119,10 @@ class CookieAuthenticationMiddleware(JWTTokenDecodeMixin, MiddlewareMixin):
     """
 
     def process_request(self, request):
-        key = request.COOKIES.get('token')
-        if key:
+        token = request.COOKIES.get('token', "")
+        if token:
             try:
-                request.user = self.decode_jwt(key)
+                request.user = self.decode_jwt(token)
             except Exception:
                 request.user = AnonymousUser()
                 request.delete_cookie = True

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/models/otp_user_mixin.py

@@ -1,7 +1,13 @@
-from django.conf import settings
+from datetime import timedelta
+
 from django.db import models
+from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
+from pfx.pfxcore.settings import PFXSettings
+
+settings = PFXSettings()
+
 
 class OtpUserMixin(models.Model):
     otp_secret_token = models.CharField(
@@ -9,6 +15,8 @@ class OtpUserMixin(models.Model):
         blank=True, unique=True)
     otp_secret_token_tmp = models.CharField(
         _("Temporary OTP secret token"), max_length=32, null=True, blank=True)
+    hotp_count = models.IntegerField(_("HOTP count"), default=0)
+    hotp_expiry = models.DateTimeField(_("HOTP expiry"), default=timezone.now)
 
     class Meta:
         abstract = True
@@ -41,8 +49,25 @@ class OtpUserMixin(models.Model):
     def is_otp_valid(self, otp_code, tmp=False):
         import pyotp
         totp = pyotp.parse_uri(self.get_otp_setup_uri(tmp=tmp))
-        return totp.verify(otp_code)
+        valid = totp.verify(otp_code)
+        if not valid and timezone.now() <= self.hotp_expiry:
+            hotp = pyotp.hotp.HOTP(
+                tmp and self.otp_secret_token_tmp or
+                self.otp_secret_token)
+            return hotp.verify(otp_code, self.hotp_count)
+        return valid
 
     def get_user_jwt_signature_key(self):
         return super().get_user_jwt_signature_key() + (
             self.otp_secret_token or "")
+
+    def get_hotp_code(self):
+        import pyotp
+        if not self.otp_secret_token:
+            raise Exception("OTP disabled")
+        self.hotp_count += 1
+        self.hotp_expiry = timezone.now() + timedelta(
+            minutes=settings.PFX_HOTP_CODE_VALIDITY)
+        self.save(update_fields=[
+            'hotp_count', 'hotp_expiry'])
+        return pyotp.hotp.HOTP(self.otp_secret_token).at(self.hotp_count)

django-pfx-1.4.dev26/pfx/pfxcore/templates/registration/otp_code_email.txt

@@ -0,0 +1,12 @@
+{% load i18n %}{% autoescape off %}
+{% blocktrans %}You're receiving this email because you requested an authentication code at {{ site_name }}.{% endblocktrans %}
+
+{% trans "Authentication code:" %} {{ otp_code }}
+
+{% blocktrans %}This code is valid for {{ otp_validity }} minutes.{% endblocktrans %}
+
+{% trans "Thanks for using our site!" %}
+
+{% blocktrans %}The {{ site_name }} team{% endblocktrans %}
+
+{% endautoescape %}

django-pfx-1.4.dev26/pfx/pfxcore/templates/registration/otp_code_subject.txt

@@ -0,0 +1,3 @@
+{% load i18n %}{% autoescape off %}
+{% blocktrans %}New authentication code for {{ site_name }}{% endblocktrans %}
+{% endautoescape %}

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/urls.py

@@ -4,4 +4,5 @@ urlpatterns = register_views(
     views.LocaleRestView,
     views.AuthenticationView,
     views.SignupView,
-    views.ForgottenPasswordView)
+    views.ForgottenPasswordView,
+    views.OtpEmailView)

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/views/__init__.py

@@ -1,6 +1,7 @@
 from .authentication_views import (
     AuthenticationView,
     ForgottenPasswordView,
+    OtpEmailView,
     SendMessageTokenMixin,
     SignupView,
 )

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/pfx/pfxcore/views/authentication_views.py

@@ -261,9 +261,7 @@ class AuthenticationView(
         return jwt.encode(
             payload,
             user.get_user_jwt_signature_key() + settings.PFX_SECRET_KEY,
-            headers=dict(
-                pfx_user_pk=user.pk,
-                username=user.get_username()),
+            headers=dict(pfx_user_pk=user.pk),
             algorithm="HS256")
 
     def get_extra_payload(self, user):
@@ -417,7 +415,7 @@ class AuthenticationView(
         raise UnauthorizedError()
 
     @method_decorator(never_cache)
-    @rest_api("/otp/activate", public=False, method="put")
+    @rest_api("/otp/activate", public=False, method="put", priority_doc=52)
     def otp_activate(self, *args, **kwargs):
         """Entrypoint for :code:`PUT /otp/activate` route.
 
@@ -453,7 +451,7 @@ class AuthenticationView(
 
     @method_decorator(never_cache)
     @rest_api(
-        "/otp/confirm", public=False, method="put",
+        "/otp/confirm", public=False, method="put", priority_doc=53,
         response_schema='message_schema')
     def otp_confirm(self, *args, **kwargs):
         """Entrypoint for :code:`PUT /otp/confirm` route.
@@ -488,7 +486,7 @@ class AuthenticationView(
         return JsonResponse(dict(message=_("Invalid OTP code")), status=422)
 
     @method_decorator(never_cache)
-    @rest_api("/otp/disable", public=False, method="put")
+    @rest_api("/otp/disable", public=False, method="put", priority_doc=54)
     def otp_disable(self, *args, **kwargs):
         """Entrypoint for :code:`PUT /otp/disable` route.
 
@@ -523,7 +521,7 @@ class AuthenticationView(
 
     @method_decorator(never_cache)
     @rest_api(
-        "/otp/login", public=True, method="post",
+        "/otp/login", public=True, method="post", priority_doc=50,
         response_schema='login_schema')
     def otp_login(self, *args, **kwargs):
         """Entrypoint for :code:`PUT /otp/login` route.
@@ -557,12 +555,15 @@ class AuthenticationView(
                     description: If the token is missing, invalid or expired.
                 403:
                     description: If the OTP is disabled for this user.
-
         """
         data = self.deserialize_body()
-        token = data.get('token')
-        username = jwt.get_unverified_header(token).get('username')
-        ban_dt = LoginBan.objects.is_ban(username)
+        token = data.get('token', "")
+        try:
+            user_pk = self.decode_jwt_header(token)
+            ban_key = f"otp_{user_pk}"
+        except Exception:
+            raise UnauthorizedError()
+        ban_dt = LoginBan.objects.is_ban(ban_key)
         if ban_dt:
             return self.login_ban_response(ban_dt)
         try:
@@ -575,9 +576,9 @@ class AuthenticationView(
         if not user.otp_secret_token:
             raise ForbiddenError()
         if user.is_otp_valid(data.get('otp_code')):
-            LoginBan.objects.unban(username)
+            LoginBan.objects.unban(ban_key)
             return self._login_success(user, mode, remember_me)
-        LoginBan.objects.ban(username)
+        LoginBan.objects.ban(ban_key)
         return self.login_failed_response()
 
     def get_user(self, uidb64):
@@ -779,3 +780,106 @@ class ForgottenPasswordView(SendMessageTokenMixin, BodyMixin, BaseRestView):
                          'you will receive an email from us with '
                          'instructions to reset your password.')
         })
+
+
+@rest_view("/auth/otp")
+class OtpEmailView(BodyMixin, JWTTokenDecodeMixin, BaseRestView):
+    """View for forgotten password service."""
+    #: The email template.
+    email_template_name = 'registration/otp_code_email.txt'
+    #: The email subject template.
+    subject_template_name = 'registration/otp_code_subject.txt'
+    #: The HTML email template.
+    html_email_template_name = None
+    #: Extra email context.
+    extra_email_context = None
+    #: The from value of the email.
+    from_email = None
+    #: The email field of user model.
+    email_field = 'email'
+    #: The language field of user model
+    language_field = 'language'
+    #: The ApiDoc tags.
+    tags = [AUTHENTICATION_TAG]
+
+    @method_decorator(never_cache)
+    @rest_api(
+        "/email", public=True, method="post", priority_doc=51,
+        response_schema='message_schema')
+    def sent_email(self, *args, **kwargs):
+        """Entrypoint for :code:`POST /email` route.
+
+        Request a new OTP code by email.
+
+        :returns: The JSON response
+        :rtype: :class:`JsonResponse`
+        ---
+        post:
+            summary: Send OTP email
+            description: Request a new OTP code by email.
+            requestBody:
+                content:
+                    application/json:
+                        schema:
+                            properties:
+                                token:
+                                    type: string
+                                    description: a valid JWT user token. This
+                                        is required only if the user is not
+                                        already connected (with a Bearer token
+                                        or a Cookie).
+            responses:
+                401:
+                    description: If the token is missing, invalid or expired.
+                403:
+                    description: If the OTP is disabled for this user.
+        """
+        if self.request.user.is_anonymous:
+            data = self.deserialize_body()
+            try:
+                user, __, __ = self.decode_jwt(
+                    data.get('token', ""), otp_login=True)
+            except Exception:
+                raise UnauthorizedError()
+        else:
+            user = self.request.user
+        if not isinstance(user, OtpUserMixin):
+            logger.error("User must inherit OtpUserMixin to activate OTP")
+            raise NotFoundError()
+        if not user.otp_secret_token:
+            raise ForbiddenError()
+        self.send_otp_message(user)
+        return JsonResponse({
+            'message': _('A new authentication code has been sent by email.')})
+
+    def send_otp_message(self, user):
+        """Send an email to a user with an OTP code.
+
+        :param user: The user
+        """
+        from django.utils import translation
+        lang = str(getattr(user, self.language_field, settings.LANGUAGE_CODE))
+
+        otp_code = user.get_hotp_code()
+        data = {
+            'target_user': user,
+            'otp_code': otp_code,
+            'otp_validity': settings.PFX_HOTP_CODE_VALIDITY,
+            'site_name': settings.PFX_SITE_NAME,
+            'user': user,
+            **(self.extra_email_context or {})
+        }
+        with translation.override(lang):
+            subject = loader.render_to_string(self.subject_template_name, data)
+            # Email subject *must not* contain newlines
+            subject = ''.join(subject.splitlines())
+            body = loader.render_to_string(self.email_template_name, data)
+            email_message = EmailMultiAlternatives(
+                subject, body, self.from_email,
+                [getattr(user, self.email_field)])
+            if self.html_email_template_name is not None:
+                html_email = loader.render_to_string(
+                    self.html_email_template_name, data)
+                email_message.attach_alternative(
+                    html_email, 'text/html')
+            email_message.send()

{django-pfx-1.4.dev22 → django-pfx-1.4.dev26}/tests/tests/test_auth_api.py

@@ -944,6 +944,34 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
         self.assertIsNone(self.user1.otp_secret_token)
         self.assertIsNone(self.user1.otp_secret_token_tmp)
 
+    @override_settings(
+        PFX_HOTP_CODE_VALIDITY=15,
+        PFX_TOKEN_OTP_VALIDITY={'minutes': 30},)
+    def test_otp_disable_by_email(self):
+        self.enable_otp(self.user1)
+
+        self.otp_login(self.user1, 'RIGHT PASSWORD')
+
+        with freeze_time("2023-05-01 08:00:00"):
+            response = self.client.post('/api/auth/otp/email', dict())
+            self.assertRC(response, 200)
+
+            self.assertEqual(
+                mail.outbox[0].subject,
+                f'New authentication code for {settings.PFX_SITE_NAME}')
+            code_match = re.search(
+                r'Authentication code: (\d{6})', mail.outbox[0].body)
+            self.assertIsNotNone(code_match)
+            otp_code = int(code_match.group(1))
+
+            response = self.client.put('/api/auth/otp/disable', dict(
+                otp_code=otp_code))
+            self.assertRC(response, 200)
+            self.assertJE(response, 'message', "OTP is disabled")
+            self.user1.refresh_from_db()
+            self.assertIsNone(self.user1.otp_secret_token)
+            self.assertIsNone(self.user1.otp_secret_token_tmp)
+
     def test_otp_disable_bad_code(self):
         self.enable_otp(self.user1)
 
@@ -1195,3 +1223,91 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
             '/api/private/authors',
             HTTP_AUTHORIZATION='Bearer ' + login_token)
         self.assertRC(response, 200)
+
+    @override_settings(PFX_HOTP_CODE_VALIDITY=15)
+    def test_send_otp_email(self):
+        self.enable_otp(self.user1)
+
+        with freeze_time("2023-05-01 08:00:00"):
+            response = self.client.post('/api/auth/login', dict(
+                username='jrr.tolkien',
+                password='RIGHT PASSWORD'))
+            self.assertRC(response, 200)
+            self.assertJE(response, 'need_otp', True)
+            self.assertJEExists(response, 'token')
+            otp_token = self.get_val(response, 'token')
+
+            response = self.client.post('/api/auth/otp/email', dict(
+                token=otp_token))
+            self.assertRC(response, 200)
+
+            self.assertEqual(
+                mail.outbox[0].subject,
+                f'New authentication code for {settings.PFX_SITE_NAME}')
+            code_match = re.search(
+                r'Authentication code: (\d{6})', mail.outbox[0].body)
+            self.assertIsNotNone(code_match)
+            otp_code = int(code_match.group(1))
+
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=otp_token,
+                otp_code=otp_code))
+            self.assertRC(response, 200)
+            self.assertJEExists(response, 'token')
+            login_token = self.get_val(response, 'token')
+
+            # Login token is accepted
+            response = self.client.get(
+                '/api/private/authors',
+                HTTP_AUTHORIZATION='Bearer ' + login_token)
+            self.assertRC(response, 200)
+
+    @override_settings(
+        PFX_HOTP_CODE_VALIDITY=15,
+        PFX_TOKEN_OTP_VALIDITY={'minutes': 30},)
+    def test_send_otp_email_expiry(self):
+        self.enable_otp(self.user1)
+
+        with freeze_time("2023-05-01 08:00:00"):
+            response = self.client.post('/api/auth/login', dict(
+                username='jrr.tolkien',
+                password='RIGHT PASSWORD'))
+            self.assertRC(response, 200)
+            self.assertJE(response, 'need_otp', True)
+            self.assertJEExists(response, 'token')
+            otp_token = self.get_val(response, 'token')
+
+            response = self.client.post('/api/auth/otp/email', dict(
+                token=otp_token))
+            self.assertRC(response, 200)
+
+            self.assertEqual(
+                mail.outbox[0].subject,
+                f'New authentication code for {settings.PFX_SITE_NAME}')
+            code_match = re.search(
+                r'Authentication code: (\d{6})', mail.outbox[0].body)
+            self.assertIsNotNone(code_match)
+            otp_code = code_match.group(1)
+
+        with freeze_time("2023-05-01 08:15:00"):
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=otp_token,
+                otp_code=otp_code))
+            self.assertRC(response, 200)
+            self.assertJEExists(response, 'token')
+
+        with freeze_time("2023-05-01 08:15:01"):
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=otp_token,
+                otp_code=otp_code))
+            self.assertRC(response, 422)
+
+    @override_settings(
+        PFX_HOTP_CODE_VALIDITY=15,
+        PFX_TOKEN_OTP_VALIDITY={'minutes': 30},)
+    def test_send_otp_email_without_token(self):
+        self.enable_otp(self.user1)
+
+        with freeze_time("2023-05-01 08:00:00"):
+            response = self.client.post('/api/auth/otp/email', dict())
+            self.assertRC(response, 401)