Merge pull request #753 from FozzieHi/totp-invalid-login-email

Invalid TOTP and recovery code email notifications
2024-09-20 15:05:59 +08:00 · 2022-01-24 18:35:52 +01:00 · 2022-01-24 18:35:52 +01:00 · 89a800eed9
parent f1c0b94ffd ab72927a16
commit 89a800eed9
8 changed files with 48 additions and 1 deletions
--- a/app/api/views/auth_mfa.py
+++ b/app/api/views/auth_mfa.py
@ -6,6 +6,7 @@ from itsdangerous import Signer
 from app.api.base import api_bp
 from app.config import FLASK_SECRET
 from app.db import Session
+from app.email_utils import send_invalid_totp_login_email
 from app.log import LOG
 from app.models import User, ApiKey

@ -53,6 +54,7 @@ def auth_mfa():

    totp = pyotp.TOTP(user.otp_secret)
    if not totp.verify(mfa_token):
+        send_invalid_totp_login_email(user, "TOTP")
        return jsonify(error="Wrong TOTP Token"), 400

    ret = {"name": user.name or "", "email": user.email}
--- a/app/auth/views/mfa.py
+++ b/app/auth/views/mfa.py
@ -16,6 +16,7 @@ from wtforms import BooleanField, StringField, validators
 from app.auth.base import auth_bp
 from app.config import MFA_USER_ID, URL
 from app.db import Session
+from app.email_utils import send_invalid_totp_login_email
 from app.extensions import limiter
 from app.models import User, MfaBrowser

@ -95,6 +96,7 @@ def mfa():
            # Trigger rate limiter
            g.deduct_limit = True
            otp_token_form.token.data = None
+            send_invalid_totp_login_email(user, "TOTP")

    return render_template(
        "auth/mfa.html",
--- a/app/auth/views/recovery.py
+++ b/app/auth/views/recovery.py
@ -7,6 +7,7 @@ from wtforms import StringField, validators
 from app.auth.base import auth_bp
 from app.config import MFA_USER_ID
 from app.db import Session
+from app.email_utils import send_invalid_totp_login_email
 from app.extensions import limiter
 from app.log import LOG
 from app.models import User, RecoveryCode
@ -68,5 +69,6 @@ def recovery_route():
            # Trigger rate limiter
            g.deduct_limit = True
            flash("Incorrect code", "error")
+            send_invalid_totp_login_email(user, "recovery")

    return render_template("auth/recovery.html", recovery_form=recovery_form)
--- a/app/config.py
+++ b/app/config.py
@ -318,6 +318,8 @@ ALERT_FROM_ADDRESS_IS_REVERSE_ALIAS = "from_address_is_reverse_alias"

 ALERT_SPF = "spf"

+ALERT_INVALID_TOTP_LOGIN = "invalid_totp_login"
+
 # when a mailbox is also an alias
 # happens when user adds a mailbox with their domain
 # then later adds this domain into SimpleLogin
--- a/app/email_utils.py
+++ b/app/email_utils.py
@ -50,6 +50,7 @@ from app.config import (
    ALERT_DIRECTORY_DISABLED_ALIAS_CREATION,
    TRANSACTIONAL_BOUNCE_EMAIL,
    ALERT_SPF,
+    ALERT_INVALID_TOTP_LOGIN,
    TEMP_DIR,
    ALIAS_AUTOMATIC_DISABLE,
    RSPAMD_SIGN_DKIM,
@ -173,6 +174,24 @@ def send_change_email(new_email, current_email, link):
    )


+def send_invalid_totp_login_email(user, totp_type):
+    send_email_with_rate_control(
+        user,
+        ALERT_INVALID_TOTP_LOGIN,
+        user.email,
+        "Unsuccessful attempt to login to your SimpleLogin account",
+        render(
+            "transactional/invalid-totp-login.txt",
+            type=totp_type,
+        ),
+        render(
+            "transactional/invalid-totp-login.html",
+            type=totp_type,
+        ),
+        1,
+    )
+
+
 def send_test_email_alias(email, name):
    send_email(
        email,
--- a/templates/dashboard/setting.html
+++ b/templates/dashboard/setting.html
@ -209,7 +209,7 @@
    <!-- END Change email -->

    <!-- Change password -->
-    <div class="card">
+    <div class="card" id="change_password">
      <div class="card-body">
        <div class="card-title">
          Password
--- a/templates/emails/transactional/invalid-totp-login.html
+++ b/templates/emails/transactional/invalid-totp-login.html
@ -0,0 +1,12 @@
+{% extends "base.html" %}
+
+{% block content %}
+  {{ render_text("There has been an unsuccessful attempt to login to your SimpleLogin account.") }}
+  {{ render_text("An invalid " ~ type ~ " code was provided <b>but the email and password were correct.</b>") }}
+
+  {{ render_text("This request has been blocked. However, if this was <b>not</b> you, please <b>change your password immediately.</b>") }}
+  {{ render_button("Change your password", URL ~ "/dashboard/setting#change_password") }}
+
+  {{ render_text('Thanks, <br />SimpleLogin Team.') }}
+  {{ raw_url(URL ~ "/dashboard/setting#change_password") }}
+{% endblock %}
--- a/templates/emails/transactional/invalid-totp-login.txt
+++ b/templates/emails/transactional/invalid-totp-login.txt
@ -0,0 +1,8 @@
+There has been an unsuccessful attempt to login to your SimpleLogin account.
+An invalid {{type}} code was provided but the email and password were correct.
+
+This request has been blocked. However, if this was not you, please change your password immediately.
+{{URL}}/dashboard/setting#change_password
+
+Thanks,
+SimpleLogin Team.