chg: [website] When 2FA is not enforced the user has the possibility …

…to not use it.
cve-search · Jul 30, 2024 · fedf631 · fedf631
1 parent fef94c6
commit fedf631
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 5 deletions.
diff --git a/config/website.py.sample b/config/website.py.sample
@@ -32,6 +32,7 @@ PLATFORM_URL = "https://vulnerability.circl.lu"
 
 
 # #### Misc ####
+ENFORCE_2FA = True
 SELF_REGISTRATION = True
 FEED_MAX_PER_PAGE = 50
 COMMENTS_MODERATION = True

diff --git a/website/web/templates/user/edit_user.html b/website/web/templates/user/edit_user.html
@@ -19,7 +19,11 @@ <h1>Profile</h1>
   </div>
 </div>
 <hr /><br />
-<a href="{{ url_for('user_bp.delete_account', user_id=user.id) }}" class="btn btn-warning" onclick="return confirm('You are going to delete your account.');">Delete your account</a><br /><br />
+<a href="{{ url_for('user_bp.delete_account', user_id=user.id) }}" class="btn btn-warning" onclick="return confirm('You are going to delete your account.');">Delete your account</a>
+{% if not config["ENFORCE_2FA"] %}
+<a href="{{ url_for('user_bp.toggle_2FA', user_id=user.id) }}" class="btn btn-warning">{% if user.is_two_factor_authentication_enabled %}Disable{% else %}Enable{% endif %} 2FA</a>
+{% endif %}
+<br /><br />
 <p>Deleting your account will not impact any of the contributions you have previously made.</p>
 <script>
     function copyToClipboard() {

diff --git a/website/web/views/session_mgmt.py b/website/web/views/session_mgmt.py
@@ -87,7 +87,7 @@ def login() -> str | WerkzeugResponse:
     In case of successful authentication the user is redirected to the
     Two-Factor Authentication page."""
     if current_user.is_authenticated:
-        if current_user.is_two_factor_authentication_enabled:
+        if not application.config["ENFORCE_2FA"] or current_user.is_two_factor_authentication_enabled:
             flash("You are already logged in.", "info")
             return redirect(url_for("user_bp.form"))
         else:
@@ -105,13 +105,25 @@ def login() -> str | WerkzeugResponse:
             User.is_active == True,
             User.is_confirmed == True,
         ).first()
-        if not user.is_two_factor_authentication_enabled:
+        if application.config["ENFORCE_2FA"] and not user.is_two_factor_authentication_enabled:
+            # 2FA enforced and is not enabled for this user: redirect to 2FA setup
             flash(
                 "You have not enabled 2-Factor Authentication. Please enable first to login.",
                 "info",
             )
             return redirect(url_for("user_bp.setup_two_factor_auth"))
-        return redirect(url_for("user_bp.verify_two_factor_auth"))
+        elif application.config["ENFORCE_2FA"]:
+            # 2FA enforced and is enabled for this user: redirect to 2FA verification
+            return redirect(url_for("user_bp.verify_two_factor_auth"))
+        elif not application.config["ENFORCE_2FA"] and  user.is_two_factor_authentication_enabled:
+            # 2FA is not enforced but enabled for this user: redirect to 2FA verification
+            return redirect(url_for("user_bp.verify_two_factor_auth"))
+        else:
+            # 2FA is not enforced and not enabled for this user: login the user
+            session.pop("username", None)
+            login_user_bundle(user)
+            return redirect(url_for("user_bp.form"))
+
 
     return render_template("user/login.html", form=form)
 

diff --git a/website/web/views/user.py b/website/web/views/user.py
@@ -139,6 +139,30 @@ def generate_apikey() -> WerkzeugResponse:
     return redirect(url_for("user_bp.form"))
 
 
+@user_bp.route("/toggle_2fa", methods=["GET"])
+@login_required  # type: ignore[misc]
+def toggle_2FA() -> WerkzeugResponse:
+    """Toggle 2FA."""
+    if application.config["ENFORCE_2FA"]:
+        flash("Impossible to disable Two-Factor Authentication.", "success")
+        return redirect(url_for("user_bp.form"))
+    user = User.query.filter(User.id == current_user.id).first()
+    if user is None:
+        abort(404)
+    user.is_two_factor_authentication_enabled = not user.is_two_factor_authentication_enabled
+    db.session.commit()
+    if user.is_two_factor_authentication_enabled:
+        session["username"] = user.login
+        flash(
+            "Configure Two-Factor Authentication.",
+            "info",
+        )
+        return redirect(url_for("user_bp.setup_two_factor_auth"))
+    else:
+        flash("Two-Factor Authentication disabled.", "success")
+        return redirect(url_for("user_bp.form"))
+
+
 @user_bp.route("/delete_account", methods=["GET"])
 @login_required  # type: ignore[misc]
 def delete_account() -> WerkzeugResponse:
@@ -191,7 +215,7 @@ def confirm_account(token: str = "") -> str | WerkzeugResponse:
             flash("Password must be the same.", "danger")
             return render_template("user/account_recovery_set_password.html", form=form)
 
-        if not user.is_two_factor_authentication_enabled:
+        if application.config["ENFORCE_2FA"] and not user.is_two_factor_authentication_enabled:
             session["username"] = user.login
             return redirect(url_for("user_bp.setup_two_factor_auth"))