improve security and fix error msg

- Instead of passing the user as a hidden form element, we use a session variable. - Introduces a 60 second limit on completing the login, and an exponentially increasing delay to attempt to login with 2FA if the code is entered incorrectly. - use proper Django form error when incorrect otp value entered
2022-09-18 16:32:42 +10:00 · 2022-09-18 16:32:42 +10:00 · 6db4fb39ed
commit 6db4fb39ed
parent 9d12b7caff
5 changed files with 58 additions and 55 deletions
--- a/bookwyrm/templates/two_factor_auth/two_factor_login.html
+++ b/bookwyrm/templates/two_factor_auth/two_factor_login.html
@ -30,23 +30,14 @@
                    </h1>
                    {% endblock %}
                </header>
-                {% if error %}
-                <div class="notification is-danger is-light">
-                    <!-- TODO: how do we translate dynamic errors? -->
-                    <span>
-                        {{ error }}
-                    </span>
-                </div>
-                {% endif %}
                <div class="is-centered">
                    <form name="confirm-2fa" action="{% url 'login-with-2fa' %}" method="post" enctype="multipart/form-data">
                        {% csrf_token %}
                        <div class="field">
                            <label class="label" for="id_otp">{% trans "Enter the code from your authenticator app:" %}</label>
                            {{ form.otp }}
-                            {% include 'snippets/form_errors.html' with errors_list=form.current_password.errors id="desc_current_password" %}
+                            {% include 'snippets/form_errors.html' with errors_list=form.otp.errors id="desc_otp" %}
                        </div>
-                        <input name="2fa_user" value="{{ 2fa_user }}" hidden>
                        <button class="button is-primary" type="submit">{% trans "Confirm and Log In" %}</button>
                    </form>
                </div>