Check token after user/pwd

peya02 · July 21, 2023, 12:10pm

Hello,
I have the following login code where, apart from verifying the username/password, I also later verify a token. Now what I would like would be that after verifying the password, redirect to another page (template to enter token) and write the token there, later if it is correct then redirect to home.
it’s possible?

def login():
    if request.method=='POST':
        user = request.form['username']
        key = "****"
        totp = pyotp.TOTP(key)
        user = User(0,request.form['username'],request.form['password'])
        logged_user=ModelUser.login(db,user)
        if logged_user != None:
            if logged_user.password:
                login_user(logged_user)
                code = request.form['code']
                if totp.verify(code) == True:
                    return redirect(url_for('home'))
                else:
                    flash("Token inválido")
                    return render_template('auth/login.html')
            else:
                flash("Contraseña inválida")
                return render_template('auth/login.html')
        else:
            flash("Usuario no encontrado")
            return render_template('auth/login.html')
    else:
        return render_template('auth/login.html')

Thank you

barry-scott · July 21, 2023, 7:14pm

You need to establish a “session”. That can be done by setting a cookie.
After the POST return a HTTP 302 page that also sets the cookie.
Look for the cookie on the code that handles the token.

Take care to encrypt the data in the cookie so that you do not get hacked.

peya02 · July 24, 2023, 6:15am

I don’t quite understand what you’re saying.
In my code I already establish an encrypted session, when you say after the POST return an http 302 (redirect), where would it be?
Would the redirection you mention be something like this?

return redirect(url_for('token'))

Later that line would send to a template where a code would be put that would validate.
But, I don’t know how I would return that code from the template so that it would return to the previous code and finally redirect to home if it was the correct case or login if I had written the code incorrectly.

barry-scott · July 24, 2023, 7:07am

I do not know what you have as an “encrypted session”.
The usual problem is that each http request is unrelated to any other.
Setting a cookie is one way to show that a sequence of http requests are related.

What happens if two users are accessing your service at the same time?
How do associate each users http requests?
How do you stop one users login being used by another user?