From a0d15ecf232bcc1f6febd83363dd35cb69374aeb Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sat, 17 Nov 2018 22:53:51 +0100
Subject: [PATCH] Cleanup!

---
 README.md                         | 136 +++---------------------------
 ungleichotp/otpauth/serializer.py |  33 ++------
 ungleichotp/otpauth/views.py      |   1 +
 ungleichotp/ungleichotp/urls.py   |   2 -
 4 files changed, 23 insertions(+), 149 deletions(-)

diff --git a/README.md b/README.md
index d983882..8cd5704 100644
--- a/README.md
+++ b/README.md
@@ -78,143 +78,31 @@ Request JSON object:
 
 Response JSON object:
 
-Either
+Either HTTP 200 with
 ```
 {
     status: "OK",
 }
 ```
 
-OR
+OR return code 403:
+
+* If token for authenticating is wrong, you get
 
 ```
-{
-    status: "FAIL",
-}
+{"detail":"Incorrect authentication credentials."}
 ```
 
-### POST /register
-
-Register a new seed. Returns an app ID.
-
-Request JSON object:
+* If token that is being verified is wrong, you get
 
 ```
-{
-    version: "1",
-    appuuid: "your-app-uuid",
-    token: "current time based token",
-    username: "user this app belongs to",
-    appname: "name of your web app"
-}
+{"detail":"You do not have permission to perform this action."}
 ```
 
-Response JSON object:
+### GET, POST, ...  /ungleichotp/
 
-```
-{
-    status: "OK",
-    appuuid: "UUID of your app",
-}
-```
-
-OR
-
-```
-{
-    status: "FAIL",
-    error: "Reason for failure"
-}
-```
-
-### POST /app/register
-
-Register a new app. Returns an app ID.
-
-Request JSON object:
-
-```
-{
-    version: "1",
-    appuuid: "your-app-uuid",
-    token: "current time based token",
-    username: "user this app belongs to",
-    appname: "name of your web app"
-}
-```
-
-Response JSON object:
-
-```
-{
-    status: "OK",
-    appuuid: "UUID of your app",
-}
-```
-
-OR
-
-```
-{
-    status: "FAIL",
-    error: "Reason for failure"
-}
-```
-
-### GET /app
-
-List all registered apps for the current user.
-
-Request JSON object:
-
-```
-{
-    version: "1",
-    appuuid: "your-app-uuid",
-    token: "current time based token"
-}
-```
-
-Response JSON object:
-
-```
-{
-    status: "OK",
-    apps: [
-        {
-            name: "name of your web app"
-            appuuid: "UUID of your app",
-        },
-        {
-            name: "name of your second web app"
-            appuuid: "UUID of your second app",
-        }
-    ]
-}
-```
-
-### GET /app/UUID
-
-Get seed for APP to be used as a token
-
-Request JSON object:
-
-```
-{
-    version: "1",
-    appuuid: "your-app-uuid",
-    token: "current time based token"
-}
-```
-
-Response JSON object:
-
-```
-{
-    status: "OK",
-    seed: "seed of your app"
-}
-```
+Standard django rest framework behaviour for updating / listing
+objects.
 
 
 ## Usage: OTP
@@ -296,6 +184,7 @@ Don’t forget to point AUTH_USER_MODEL to it. Do this before creating any migra
 - [x] Implement registering of new entries
 - [x] OTPSerializer: allow to read seed for admin
 - [x] Implement deleting entry
+- [x] Include verify in ModelSerializer
 - [ ] Remove hard coded JSON (?)
 - [ ] Use Custom authentication (?) - needs to have a user
 - [ ] Maybe we map name+realm == User (?)
@@ -305,3 +194,6 @@ Don’t forget to point AUTH_USER_MODEL to it. Do this before creating any migra
   - custom auth method
 - [ ] Implement creating new "User"
   - by POST / Model based
+- [ ] move totp constants into settings
+- [ ] move field lengths into settings
+- [ ] make settings adjustable by environment (?)
diff --git a/ungleichotp/otpauth/serializer.py b/ungleichotp/otpauth/serializer.py
index a8a9980..ccfe2a8 100644
--- a/ungleichotp/otpauth/serializer.py
+++ b/ungleichotp/otpauth/serializer.py
@@ -10,15 +10,7 @@ class OTPSerializer(serializers.ModelSerializer):
         read_only_fields = ('seed',)
 
     def create(self, validated_data):
-        print(validated_data)
-        print("BEING CALLED??")
-        name  =  validated_data.get('name')
-        realm =  validated_data.get('realm')
-
-        # validated_data
-        seed = pyotp.random_base32()
-        validated_data['seed'] = seed
-
+        validated_data['seed'] = pyotp.random_base32()
         return OTPSeed.objects.create(**validated_data)
 
 class VerifySerializer(serializers.Serializer):
@@ -30,25 +22,20 @@ class VerifySerializer(serializers.Serializer):
     verifytoken = serializers.CharField(max_length=128)
     verifyrealm = serializers.CharField(max_length=128)
 
-    def create(self, validated_data):
-        print("all going to be verified - CREATE")
-        token_in = validated_data.get('token')
-        name_in =  validated_data.get('name')
-        realm_in =  validated_data.get('realm')
-
-        verifytoken = validated_data.get('verifytoken')
-        verifyname =  validated_data.get('verifyname')
-        verifyrealm =  validated_data.get('verifyrealm')
+    def save(self):
+        token_in = self.validated_data.get('token')
+        name_in =  self.validated_data.get('name')
+        realm_in =  self.validated_data.get('realm')
+        verifytoken = self.validated_data.get('verifytoken')
+        verifyname =  self.validated_data.get('verifyname')
+        verifyrealm =  self.validated_data.get('verifyrealm')
 
         # 1. Verify that the connection might authenticate
-
         try:
             db_instance = otpauth.models.OTPSeed.objects.get(name=name_in, realm=realm_in)
         except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
             raise exceptions.AuthenticationFailed()
 
-        print("serializer found object")
-
         totp = pyotp.TOTP(db_instance.seed)
 
         if not totp.verify(token_in, valid_window=3):
@@ -56,7 +43,6 @@ class VerifySerializer(serializers.Serializer):
 
 
         # 2. Verify the requested data
-
         try:
             verifyinstance = otpauth.models.OTPSeed.objects.get(name=verifyname, realm=verifyrealm)
         except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist):
@@ -69,6 +55,3 @@ class VerifySerializer(serializers.Serializer):
 
         print("All verified!")
         return verifyinstance
-
-    def verify(self, validated_data):
-        print("all going to be verified - AAAAAAAA")
diff --git a/ungleichotp/otpauth/views.py b/ungleichotp/otpauth/views.py
index 03ac6da..a4e5a59 100644
--- a/ungleichotp/otpauth/views.py
+++ b/ungleichotp/otpauth/views.py
@@ -20,6 +20,7 @@ class OTPVerifyViewSet(viewsets.ModelViewSet):
         serializer = VerifySerializer(data=request.data)
         if serializer.is_valid():
             print(serializer)
+            serializer.save()
             return Response({'status': 'OK'})
 
         return JsonResponse(serializer.errors, status=400)
diff --git a/ungleichotp/ungleichotp/urls.py b/ungleichotp/ungleichotp/urls.py
index 05b26cd..8812180 100644
--- a/ungleichotp/ungleichotp/urls.py
+++ b/ungleichotp/ungleichotp/urls.py
@@ -28,8 +28,6 @@ router = routers.DefaultRouter()
 router.register(r'ungleichotp', VerifyViewSet, basename='ungleichotp')
 router.register(r'ungleichotpv2', OTPVerifyViewSet, basename='ungleichotpv2')
 
-print(router.urls)
-
 urlpatterns = [
     path('admin/', admin.site.urls),
     url(r'^', include(router.urls)),