Skip to content

Conversation

@haniffm
Copy link

@haniffm haniffm commented May 29, 2019

This implementation is influenced by: https://tag1consulting.com/blog/building-api-django-20-part-i

Created some endpoints to:

  1. login
  2. create totp
  3. verify totp
  4. disable totp
  5. delete totp

Main part that is still not working is that we don't want to authenticate the
user if it has a otp configured but not filled in.

To try the current solution:

  1. Login with admin/admin

  2. Enable the OTP by navigating to http://localhost:8000/otp/create/

  3. Copy the response that starts with "otpauth://"

  4. Create a QR code with help of google (there are other ways) by appending the above response to:

    https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=

    So it looks something like this:
    https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=otpauth://totp/admin?secret=H27UTUREIAIWDXF6FVV6X4NGNC7VFATO&algorithm=SHA1&digits=6&period=30

  5. Open Google Authenticator (or some other similar tool) in your phone and scan the above generated image. You should get timed autogenerated numbers in your phone.

  6. To verify, go to: http://localhost:8000/otp/verify/ and fill in the number you have in your phone a the json token like this:

    { "token": 123456 }

    If the token is correct you should get Status code 201

  7. To delete the otp, go to: http://localhost:8000/otp/delete/ and POST the request.

This implementation is influenced by: https://tag1consulting.com/blog/building-api-django-20-part-i

  Created some endpoints to:
  1. login
  2. create totp
  3. verify totp
  4. disable totp
  5. delete totp

  Main part that is still not working is that we don't want to authenticate the
  user if it has a otp configured but not filled in.

  To try the current solution:
  1. Login with admin/admin
  2. Enable the OTP by navigating to http://localhost:8000/otp/create/
  3. Copy the response that starts with "otpauth://"
  4. Create a QR code with help of google (there are other ways) by appending the above response to:

     https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=

     So it looks something like this:
     https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=otpauth://totp/admin?secret=H27UTUREIAIWDXF6FVV6X4NGNC7VFATO&algorithm=SHA1&digits=6&period=30

  5. Open Google Authenticator (or some other similar tool) in your phone and scan the above generated image. You should get timed autogenerated numbers in your phone.
  6. To verify, go to: http://localhost:8000/otp/verify/ and fill in the number you have in your phone a the json token like this:

     { "token": 123456 }

     If the token is correct you should get Status code 201

   7. To delete the otp, go to: http://localhost:8000/otp/delete/ and POST the request.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant