From 6b22532e98d8352f55c21a14194b4f1193f4d93e Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sat, 17 Nov 2018 18:48:12 +0100
Subject: [PATCH] Can verify token

---
 README.md                         |  5 +++++
 ungleichotp/otpauth/serializer.py | 34 ++++++++++++++++++++++++-------
 ungleichotp/otpauth/views.py      | 24 ++++++++++++++++++++--
 ungleichotp/ungleichotp/urls.py   | 22 +++-----------------
 4 files changed, 57 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index 790d189..910e0f4 100644
--- a/README.md
+++ b/README.md
@@ -259,3 +259,8 @@ DATABASES = {
     }
 }
 ```
+
+## TODOs
+
+- [ ] serialize / input request
+- [ ] Remove hard coded JSON
diff --git a/ungleichotp/otpauth/serializer.py b/ungleichotp/otpauth/serializer.py
index cffa486..345c2be 100644
--- a/ungleichotp/otpauth/serializer.py
+++ b/ungleichotp/otpauth/serializer.py
@@ -34,16 +34,36 @@ class VerifySerializer(serializers.Serializer):
         name_in =  validated_data.get('name')
         realm_in =  validated_data.get('realm')
 
+        verifytoken = validated_data.get('verifytoken')
+        verifyname =  validated_data.get('verifyname')
+        verifyrealm =  validated_data.get('verifyrealm')
+
+        # 1. Verify that the connection might authenticate
+
         try:
             db_instance = otpauth.models.OTPSeed.objects.get(name=name_in, realm=realm_in)
         except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
-            raise exceptions.PermissionDenied()
+            raise exceptions.AuthenticationFailed()
+
+        print("serializer found object")
 
-        print("here?")
-        # Generate token and compare
         totp = pyotp.TOTP(db_instance.seed)
 
-        if totp.verify(token_in, valid_window=3):
-            return "OK"
-        else:
-            return "FAIL"
+        if not totp.verify(token_in, valid_window=3):
+            raise exceptions.AuthenticationFailed()
+
+
+        # 2. Verify the requested data
+
+        try:
+            verifyinstance = otpauth.models.OTPSeed.objects.get(name=verifyname, realm=verifyrealm)
+        except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
+            raise exceptions.PermissionDenied()
+
+        totp = pyotp.TOTP(verifyinstance.seed)
+
+        if not totp.verify(verifytoken, valid_window=3):
+            raise exceptions.PermissionDenied()
+
+        print("All verified!")
+        return verifyinstance
diff --git a/ungleichotp/otpauth/views.py b/ungleichotp/otpauth/views.py
index cccfc30..f9a1a92 100644
--- a/ungleichotp/otpauth/views.py
+++ b/ungleichotp/otpauth/views.py
@@ -1,11 +1,31 @@
 from django.shortcuts import render
 from rest_framework import viewsets
+from rest_framework.parsers import JSONParser
 from otpauth.serializer import VerifySerializer
+from django.http import HttpResponse, JsonResponse
 
-# Create your views here.
+import json
 
-class VerifyViewSet(viewsets.ModelViewSet):
+class VerifyViewSetV1(viewsets.ModelViewSet):
     serializer_class = VerifySerializer
 
     def get_queryset(self):
         return None
+
+
+class VerifyViewSet(viewsets.ViewSet):
+    serializer_class = VerifySerializer
+
+    def create(self, request):
+        data = JSONParser().parse(request)
+        serializer = VerifySerializer(data=data)
+        if serializer.is_valid():
+            print("is valid")
+            print(serializer)
+            #serializer.save()
+            return JsonResponse(serializer.data, status=201)
+        return JsonResponse(serializer.errors, status=400)
+
+
+    def get_queryset(self):
+        return []
diff --git a/ungleichotp/ungleichotp/urls.py b/ungleichotp/ungleichotp/urls.py
index ae364df..02cefba 100644
--- a/ungleichotp/ungleichotp/urls.py
+++ b/ungleichotp/ungleichotp/urls.py
@@ -18,33 +18,17 @@ Including another URLconf
 from django.contrib import admin
 from django.urls import path
 from django.conf.urls import url, include
-
 from django.contrib.auth.models import User
 from rest_framework import routers, serializers, viewsets
-
-# Serializers define the API representation.
-class UserSerializer(serializers.HyperlinkedModelSerializer):
-    class Meta:
-        model = User
-        fields = ('url', 'username', 'email', 'is_staff')
-
-# ViewSets define the view behavior.
-class UserViewSet(viewsets.ModelViewSet):
-    queryset = User.objects.all()
-    serializer_class = UserSerializer
-
-# Routers provide an easy way of automatically determining the URL conf.
-router = routers.DefaultRouter()
-router.register(r'users', UserViewSet)
-
 from otpauth.models import OTPSeed
 from otpauth.views import VerifyViewSet
 
+
+router = routers.DefaultRouter()
 router.register(r'ungleichotp', VerifyViewSet, basename='ungleichotp')
 
+print(router.urls)
 
-# Wire up our API using automatic URL routing.
-# Additionally, we include login URLs for the browsable API.
 urlpatterns = [
     path('admin/', admin.site.urls),
     url(r'^', include(router.urls)),