Skip to content

swap_user.otp.forms

CheckOTPForm

Bases: GetOTPForm

Here we are checking User presence among with OPT check.

Source code in swap_user/otp/forms.py 
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
class CheckOTPForm(GetOTPForm):
    """
    Here we are checking User presence among with OPT check.
    """

    otp = forms.CharField(label=_("OTP"), widget=forms.PasswordInput(attrs={"autofocus": True}))

    def clean(self):
        """
        Method that allows to us pass through few validation checks:
            - User DB presence
            - OTP password validity
        """

        username_field = UserModel.USERNAME_FIELD
        username = self.cleaned_data[username_field]
        otp = self.cleaned_data["otp"]

        service_class = swap_user_settings.VALIDATION_SERVICE_CLASS
        service = service_class()

        service.check_user_is_banned_for_otp_rate_limit(username)
        service.check_user_is_banned_for_invalid_login_attempts(username)
        service.check_password(username, otp)
        service.check_extra(username=username, otp=otp)

        return self.cleaned_data

clean()

Method that allows to us pass through few validation checks
  • User DB presence
  • OTP password validity
Source code in swap_user/otp/forms.py 
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
def clean(self):
    """
    Method that allows to us pass through few validation checks:
        - User DB presence
        - OTP password validity
    """

    username_field = UserModel.USERNAME_FIELD
    username = self.cleaned_data[username_field]
    otp = self.cleaned_data["otp"]

    service_class = swap_user_settings.VALIDATION_SERVICE_CLASS
    service = service_class()

    service.check_user_is_banned_for_otp_rate_limit(username)
    service.check_user_is_banned_for_invalid_login_attempts(username)
    service.check_password(username, otp)
    service.check_extra(username=username, otp=otp)

    return self.cleaned_data

GetOTPForm

Bases: forms.ModelForm

Unfortunately we can't check User exist or not at this screen by the security reasons - if we will show error when User doesn't exist, attacker can just check all the emails / phones.

Source code in swap_user/otp/forms.py 
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
class GetOTPForm(forms.ModelForm):
    """
    Unfortunately we can't check User exist or not at this screen by the
    security reasons - if we will show error when User doesn't exist,
    attacker can just check all the emails / phones.
    """

    class Meta:
        model = UserModel
        fields = (UserModel.USERNAME_FIELD,)

    def clean(self):
        """
        We are preventing unique validation by overriding this method and
        adding extra check for user ban.
        """

        username_field = UserModel.USERNAME_FIELD
        raw_username = self.cleaned_data[username_field]
        username = normalize_username(raw_username)

        service_class = swap_user_settings.VALIDATION_SERVICE_CLASS
        service = service_class()

        service.check_user_is_banned_for_otp_rate_limit(username)
        service.check_user_is_banned_for_invalid_login_attempts(username)
        service.check_extra(username=username)

        return self.cleaned_data

clean()

We are preventing unique validation by overriding this method and adding extra check for user ban.

Source code in swap_user/otp/forms.py 
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
def clean(self):
    """
    We are preventing unique validation by overriding this method and
    adding extra check for user ban.
    """

    username_field = UserModel.USERNAME_FIELD
    raw_username = self.cleaned_data[username_field]
    username = normalize_username(raw_username)

    service_class = swap_user_settings.VALIDATION_SERVICE_CLASS
    service = service_class()

    service.check_user_is_banned_for_otp_rate_limit(username)
    service.check_user_is_banned_for_invalid_login_attempts(username)
    service.check_extra(username=username)

    return self.cleaned_data