django-pfx 1.4.dev46__tar.gz → 1.4.dev50__tar.gz

{django_pfx-1.4.dev46 → django_pfx-1.4.dev50}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev46
+Version: 1.4.dev50
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django_pfx-1.4.dev46 → django_pfx-1.4.dev50}/django_pfx.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev46
+Version: 1.4.dev50
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django_pfx-1.4.dev46 → django_pfx-1.4.dev50}/doc/source/authentication.md

@@ -97,6 +97,10 @@ class MyUser(OtpUserMixin, AbstractPFXBaseUser):
 * `PFX_TOKEN_OTP_VALIDITY`: Validity for OTP tokens (corresponds to the maximum time to enter
   an OTP code after logging in with a password) (optional, default `{'minutes': 15}`)
 * `PFX_HOTP_CODE_VALIDITY`: Validity of HOTP codes in minutes (used to send code by email) (optional, default `15`).
+* `PFX_OTP_VALID_WINDOW`: TOTP valid window (optional, default `1`).
+  According to [RFC 6238 section 5.2](https://www.ietf.org/rfc/rfc6238.html#section-5.2).
+* `PFX_OTP_IMAGE`: An image https URL used by FreeOTP. See [FreeOTP URI](https://github.com/npmccallum/freeotp-android/blob/master/URI.md).
+* `PFX_OTP_COLOR`: A brand color (in RRGGBB format) for used by FreeOTP. See [FreeOTP URI](https://github.com/npmccallum/freeotp-android/blob/master/URI.md).
 
 The user can then enable or disable the OTP auth using the [services documented below](#enable-mfa-otp).
 

{django_pfx-1.4.dev46 → django_pfx-1.4.dev50}/pfx/pfxcore/default_settings.py

@@ -2,7 +2,9 @@ PFX_TOKEN_SHORT_VALIDITY = {'hours': 12}
 PFX_TOKEN_LONG_VALIDITY = {'days': 30}
 PFX_TOKEN_OTP_VALIDITY = {'minutes': 15}
 PFX_HOTP_CODE_VALIDITY = 15
+PFX_OTP_VALID_WINDOW = 1
 PFX_OTP_IMAGE = None
+PFX_OTP_COLOR = None
 
 PFX_COOKIE_DOMAIN = None
 PFX_COOKIE_SECURE = True

{django_pfx-1.4.dev46 → django_pfx-1.4.dev50}/pfx/pfxcore/models/otp_user_mixin.py

@@ -65,7 +65,7 @@ class OtpUserMixin(models.Model):
         self.otp_secret_token = None
         self.save(update_fields=['otp_secret_token'])
 
-    def get_otp_setup_uri(self, tmp=False):
+    def get_otp_setup_uri(self, tmp=False, with_color=True):
         """Return the setup URL for OTP activation.
         """
         import pyotp
@@ -73,9 +73,14 @@ class OtpUserMixin(models.Model):
             name=self.get_username(), issuer_name=settings.PFX_SITE_NAME)
         if settings.PFX_OTP_IMAGE:
             args['image'] = settings.PFX_OTP_IMAGE
-        return pyotp.totp.TOTP(
+        uri = pyotp.totp.TOTP(
             tmp and self.otp_secret_token_tmp or
             self.otp_secret_token).provisioning_uri(**args)
+        if with_color and settings.PFX_OTP_COLOR:
+            # TODO: Can be put in provisioning_uri args if
+            # https://github.com/pyauth/pyotp/pull/164 is merge and published.
+            uri = f"{uri}&color={settings.PFX_OTP_COLOR}"
+        return uri
 
     def is_otp_valid(self, otp_code, tmp=False):
         """Verify an OTP code.
@@ -86,8 +91,13 @@ class OtpUserMixin(models.Model):
         :returns: `True` if the code is valid, `False` otherwise.
         """
         import pyotp
-        totp = pyotp.parse_uri(self.get_otp_setup_uri(tmp=tmp))
-        valid = totp.verify(otp_code)
+
+        # TODO : The with_color paramter can be removed if
+        # https://github.com/pyauth/pyotp/pull/164 is merge and published.
+        totp = pyotp.parse_uri(
+            self.get_otp_setup_uri(tmp=tmp, with_color=False))
+        valid = totp.verify(
+            otp_code, valid_window=settings.PFX_OTP_VALID_WINDOW)
         if not valid and timezone.now() <= self.hotp_expiry:
             hotp = pyotp.hotp.HOTP(
                 tmp and self.otp_secret_token_tmp or

{django_pfx-1.4.dev46 → django_pfx-1.4.dev50}/tests/tests/test_auth_api.py

@@ -8,6 +8,7 @@ from django.conf import settings
 from django.contrib.auth.tokens import default_token_generator
 from django.core import mail
 from django.test import TransactionTestCase, modify_settings, override_settings
+from django.utils import timezone
 from django.utils.encoding import force_bytes
 from django.utils.http import urlsafe_base64_encode
 
@@ -894,7 +895,9 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
         self.assertRC(response, 200)
         self.client.token = self.get_val(response, 'token')
 
-    @override_settings(PFX_OTP_IMAGE="https://example.org/fake.png")
+    @override_settings(
+        PFX_OTP_IMAGE="https://example.org/fake.png",
+        PFX_OTP_COLOR="FF0000")
     def test_otp_enable(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
@@ -904,6 +907,7 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
         self.assertJIn(response, 'setup_uri', "otpauth://totp/")
         self.assertJIn(response, 'setup_uri', "Books%20Demo:jrr.tolkien")
         self.assertJIn(response, 'setup_uri', "issuer=Books%20Demo")
+        self.assertJIn(response, 'setup_uri', "color=FF0000")
         self.assertJIn(
             response, 'setup_uri',
             "image=https%3A%2F%2Fexample.org%2Ffake.png")
@@ -1088,6 +1092,51 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
                 datetime.fromtimestamp(decoded['exp']),
                 datetime(2023, 5, 2, 8, 10))
 
+    @override_settings(
+        PFX_OTP_VALID_WINDOW=0,
+        PFX_TOKEN_SHORT_VALIDITY={'minutes': 30})
+    def test_otp_login_valid_window_0(self):
+        totp = self.enable_otp(self.user1)
+
+        with freeze_time("2023-05-01 08:00:00"):
+            response = self.client.post('/api/auth/login', dict(
+                username='jrr.tolkien',
+                password='RIGHT PASSWORD'))
+            self.assertRC(response, 200)
+            token = self.get_val(response, 'token')
+
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=token, otp_code=totp.at(
+                    timezone.now() - timedelta(seconds=1))))
+            self.assertRC(response, 422)
+
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=token, otp_code=totp.at(timezone.now())))
+            self.assertRC(response, 200)
+
+    @override_settings(
+        PFX_OTP_VALID_WINDOW=1,
+        PFX_TOKEN_SHORT_VALIDITY={'minutes': 30})
+    def test_otp_login_valid_window_1(self):
+        totp = self.enable_otp(self.user1)
+
+        with freeze_time("2023-05-01 08:00:00"):
+            response = self.client.post('/api/auth/login', dict(
+                username='jrr.tolkien',
+                password='RIGHT PASSWORD'))
+            self.assertRC(response, 200)
+            token = self.get_val(response, 'token')
+
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=token, otp_code=totp.at(
+                    timezone.now() - timedelta(seconds=31))))
+            self.assertRC(response, 422)
+
+            response = self.client.post('/api/auth/otp/login', dict(
+                token=token, otp_code=totp.at(
+                    timezone.now() - timedelta(seconds=30))))
+            self.assertRC(response, 200)
+
     @override_settings(
         PFX_TOKEN_SHORT_VALIDITY={'minutes': 30},
         PFX_LOGIN_BAN_FAILED_NUMBER=2,