git Service of IN-Ulm e.V. Explore Help
Sign In
ulpeters
/
totp-auth
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 676487ba92
Branches Tags
totp-auth
/
build
/
totp
/
main.py

main.py 5.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. import http.cookies
    2. 

  2. import http.server
    3. 

  3. import socketserver
    4. 

  4. import random
    5. 

  5. import time
    6. 

  6. import os
    7. 

  7. from urllib.parse import parse_qs
    8. 

  8. from cgi import parse_header, parse_multipart
    9. 

  9. 

  10. import pyotp
    11. 

  11. 

  12. PORT = 8000
    13. 

  13. TOKEN_LIFETIME = 60 * 60 * 2
    14. 

  14. LAST_LOGIN_ATTEMPT = 0
    15. 

  15. #SECRET = open('.totp_secret').read().strip()
    16. 

  16. SECRET = os.getenv('SECRET')
    17. 

  17. SECURE_COOKIE = False
    18. 

  18. FORM = """
    19. 

  19. <html>
    20. 

  20. <head>
    21. 

  21. <title>Please Log In</title>
    22. 

  22. </head>
    23. 

  23. <body>
    24. 

  24. <form action="/auth/login" method="POST">
    25. 

  25. <input type="text" name="token">
    26. 

  26. <input type="submit" value="Submit">
    27. 

  27. </form>
    28. 

  28. </body>
    29. 

  29. </html>
    30. 

  30. """
    31. 

  31. 

  32. class TokenManager(object):
    33. 

  33.     """Who needs a database when you can just store everything in memory?"""
    34. 

  34. 

  35.     def __init__(self):
    36. 

  36.         self.tokens = {}
    37. 

  37.         self.random = random.SystemRandom()
    38. 

  38. 

  39.     def generate(self):
    40. 

  40.         t = '%064x' % self.random.getrandbits(8*32)
    41. 

  41.         self.tokens[t] = time.time()
    42. 

  42.         return t
    43. 

  43. 

  44.     def is_valid(self, t):
    45. 

  45.         try:
    46. 

  46.             return time.time() - self.tokens.get(t, 0) < TOKEN_LIFETIME
    47. 

  47.         except Exception:
    48. 

  48.             return False
    49. 

  49. 

  50.     def invalidate(self, t):
    51. 

  51.         if t in self.tokens:
    52. 

  52.             del self.tokens[t]
    53. 

  53. 

  54. TOKEN_MANAGER = TokenManager()
    55. 

  55. 

  56. class AuthHandler(http.server.BaseHTTPRequestHandler):
    57. 

  57.     def do_GET(self):
    58. 

  58.         if self.path == '/auth/check':
    59. 

  59.             # Check if they have a valid token
    60. 

  60.             cookie = http.cookies.SimpleCookie(self.headers.get('Cookie'))
    61. 

  61.             if 'token' in cookie and TOKEN_MANAGER.is_valid(cookie['token'].value):
    62. 

  62.                 print('cookie ok')
    63. 

  63.                 self.send_response(200)
    64. 

  64.                 self.end_headers()
    65. 

  65.                 return
    66. 

  66. 

  67.             # Otherwise return 401, which will be redirected to '/auth/login' upstream
    68. 

  68.             print('no valid cookie found')
    69. 

  69.             self.send_response(401)
    70. 

  70.             self.end_headers()
    71. 

  71.             return
    72. 

  72. 

  73.         if self.path == '/auth/login':
    74. 

  74.             # Render out the login form
    75. 

  75.             self.send_response(200)
    76. 

  76.             self.send_header('Content-type', 'text/html')
    77. 

  77.             self.end_headers()
    78. 

  78.             self.wfile.write(bytes(FORM, 'UTF-8'))
    79. 

  79.             return
    80. 

  80. 

  81.         if self.path == '/auth/logout':
    82. 

  82.             # Invalidate any tokens
    83. 

  83.             cookie = http.cookies.SimpleCookie(self.headers.get('Cookie'))
    84. 

  84.             if 'token' in cookie:
    85. 

  85.                 TOKEN_MANAGER.invalidate(cookie['token'].value)
    86. 

  86. 

  87.             # This just replaces the token with garbage
    88. 

  88.             self.send_response(302)
    89. 

  89.             cookie = http.cookies.SimpleCookie()
    90. 

  90.             cookie["token"] = '***'
    91. 

  91.             cookie["token"]["path"] = '/'
    92. 

  92.             cookie["token"]["secure"] = SECURE_COOKIE 
    93. 

  93.             self.send_header('Set-Cookie', cookie.output(header=''))
    94. 

  94.             self.send_header('Location', '/')
    95. 

  95.             self.end_headers()
    96. 

  96.             return
    97. 

  97. 

  98.         # Otherwise return 404
    99. 

  99.         self.send_response(404)
    100. 

  100.         self.end_headers()
    101. 

  101. 

  102.     def do_POST(self):
    103. 

  103.         if self.path == '/auth/login':
    104. 

  104.             # Rate limit login attempts to once per second
    105. 

  105.             global LAST_LOGIN_ATTEMPT
    106. 

  106.             if time.time() - LAST_LOGIN_ATTEMPT < 1.0:
    107. 

  107.                 self.send_response(429)
    108. 

  108.                 self.end_headers()
    109. 

  109.                 self.wfile.write(bytes('Slow down. Hold your horses', 'UTF-8'))
    110. 

  110.                 return
    111. 

  111.             LAST_LOGIN_ATTEMPT = time.time()
    112. 

  112. 

  113.             # Check the TOTP Secret
    114. 

  114.             params = self.parse_POST()
    115. 

  115.             if (params.get(b'token') or [None])[0] == bytes(pyotp.TOTP(SECRET).now(), 'UTF-8'):
    116. 

  116.                 print('otp ok')
    117. 

  117.                 cookie = http.cookies.SimpleCookie()
    118. 

  118.                 cookie["token"] = TOKEN_MANAGER.generate()
    119. 

  119.                 cookie["token"]["path"] = "/"
    120. 

  120.                 cookie["token"]["secure"] = SECURE_COOKIE 
    121. 

  121. 

  122.                 self.send_response(302)
    123. 

  123.                 self.send_header('Set-Cookie', cookie.output(header=''))
    124. 

  124.                 self.send_header('Location', '/')
    125. 

  125.                 self.end_headers()
    126. 

  126.                 return
    127. 

  127. 

  128.             # Otherwise redirect back to the login page
    129. 

  129.             else:
    130. 

  130.                 print('otp not ok')
    131. 

  131.                 self.send_response(302)
    132. 

  132.                 self.send_header('Location', '/auth/login')
    133. 

  133.                 self.end_headers()
    134. 

  134.                 return
    135. 

  135.                 
    136. 

  136.         # Otherwise return 404
    137. 

  137.         self.send_response(404)
    138. 

  138.         self.end_headers()
    139. 

  139. 

  140.     def parse_POST(self):
    141. 

  141.         """Lifted from https://stackoverflow.com/questions/4233218/"""
    142. 

  142.         ctype, pdict = parse_header(self.headers['content-type'])
    143. 

  143.         if ctype == 'multipart/form-data':
    144. 

  144.             postvars = parse_multipart(self.rfile, pdict)
    145. 

  145.         elif ctype == 'application/x-www-form-urlencoded':
    146. 

  146.             length = int(self.headers['Content-Length'])
    147. 

  147.             postvars = parse_qs( self.rfile.read(length), keep_blank_values=1)
    148. 

  148.         else:
    149. 

  149.             postvars = {}
    150. 

  150.         return postvars
    151. 

  151. 

  152. socketserver.TCPServer.allow_reuse_address = True
    153. 

  153. httpd = socketserver.TCPServer(("", PORT), AuthHandler)
    154. 

  154. try:
    155. 

  155.     print("serving at port", PORT)
    156. 

  156.     httpd.serve_forever()
    157. 

  157. finally:
    158. 

  158.     httpd.server_close()
    159.