totp => otp, integrate with factors, new setup form

passbook/core/auth/view.py

@@ -24,7 +24,9 @@ class AuthenticationView(UserPassesTestMixin, View):
     pending_user = None
     pending_factors = []
 
-    _current_factor = None
+    _current_factor_class = None
+
+    current_factor = None
 
     # Allow only not authenticated users to login
     def test_func(self):
@@ -37,6 +39,7 @@ class AuthenticationView(UserPassesTestMixin, View):
         return redirect(reverse('passbook_core:overview'))
 
     def dispatch(self, request, *args, **kwargs):
+        print(request.session.keys())
         # Extract pending user from session (only remember uid)
         if AuthenticationView.SESSION_PENDING_USER in request.session:
             self.pending_user = get_object_or_404(
@@ -50,43 +53,47 @@ class AuthenticationView(UserPassesTestMixin, View):
         else:
             # Get an initial list of factors which are currently enabled
             # and apply to the current user. We check policies here and block the request
-            _all_factors = Factor.objects.filter(enabled=True)
+            _all_factors = Factor.objects.filter(enabled=True).order_by('order').select_subclasses()
             self.pending_factors = []
             for factor in _all_factors:
                 if factor.passes(self.pending_user):
-                    self.pending_factors.append(factor.type)
+                    self.pending_factors.append((factor.uuid.hex, factor.type))
         # Read and instantiate factor from session
-        factor_class = None
+        factor_uuid, factor_class = None, None
         if AuthenticationView.SESSION_FACTOR not in request.session:
             # Case when no factors apply to user, return error denied
             if not self.pending_factors:
                 return self.user_invalid()
-            factor_class = self.pending_factors[0]
+            factor_uuid, factor_class = self.pending_factors[0]
         else:
-            factor_class = request.session[AuthenticationView.SESSION_FACTOR]
+            factor_uuid, factor_class = request.session[AuthenticationView.SESSION_FACTOR]
+        # Lookup current factor object
+        self.current_factor = Factor.objects.filter(uuid=factor_uuid).select_subclasses().first()
         # Instantiate Next Factor and pass request
         factor = path_to_class(factor_class)
-        self._current_factor = factor(self)
-        self._current_factor.pending_user = self.pending_user
-        self._current_factor.request = request
+        self._current_factor_class = factor(self)
+        self._current_factor_class.pending_user = self.pending_user
+        self._current_factor_class.request = request
         return super().dispatch(request, *args, **kwargs)
 
     def get(self, request, *args, **kwargs):
         """pass get request to current factor"""
-        LOGGER.debug("Passing GET to %s", class_to_path(self._current_factor.__class__))
-        return self._current_factor.get(request, *args, **kwargs)
+        LOGGER.debug("Passing GET to %s", class_to_path(self._current_factor_class.__class__))
+        return self._current_factor_class.get(request, *args, **kwargs)
 
     def post(self, request, *args, **kwargs):
         """pass post request to current factor"""
-        LOGGER.debug("Passing POST to %s", class_to_path(self._current_factor.__class__))
-        return self._current_factor.post(request, *args, **kwargs)
+        LOGGER.debug("Passing POST to %s", class_to_path(self._current_factor_class.__class__))
+        return self._current_factor_class.post(request, *args, **kwargs)
 
     def user_ok(self):
         """Redirect to next Factor"""
-        LOGGER.debug("Factor %s passed", class_to_path(self._current_factor.__class__))
+        LOGGER.debug("Factor %s passed", class_to_path(self._current_factor_class.__class__))
         # Remove passed factor from pending factors
-        if class_to_path(self._current_factor.__class__) in self.pending_factors:
-            self.pending_factors.remove(class_to_path(self._current_factor.__class__))
+        current_factor_tuple = (self.current_factor.uuid.hex,
+                                class_to_path(self._current_factor_class.__class__))
+        if current_factor_tuple in self.pending_factors:
+            self.pending_factors.remove(current_factor_tuple)
         next_factor = None
         if self.pending_factors:
             next_factor = self.pending_factors.pop()
@@ -120,11 +127,12 @@ class AuthenticationView(UserPassesTestMixin, View):
 
     def _cleanup(self):
         """Remove temporary data from session"""
-        session_keys = ['SESSION_FACTOR', 'SESSION_PENDING_FACTORS',
-                        'SESSION_PENDING_USER', 'SESSION_USER_BACKEND', ]
+        session_keys = [self.SESSION_FACTOR, self.SESSION_PENDING_FACTORS,
+                        self.SESSION_PENDING_USER, self.SESSION_USER_BACKEND, ]
         for key in session_keys:
             if key in self.request.session:
                 del self.request.session[key]
+        print(self.request.session.keys())
         LOGGER.debug("Cleaned up sessions")
 
 class FactorPermissionDeniedView(PermissionDeniedView):