admin / Synapse-Cortex
publicSelf Hosted ITSM Tool with RBAC/Tenanting and MFA
Synapse-Cortex / Synapse-Cortexv2 / app / routers / settings.py
2842 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | from fastapi import APIRouter, Depends, HTTPException, status from sqlalchemy.orm import Session from .. import mfa, schemas from ..audit import log_audit from ..database import get_db from ..deps import get_session_user from ..security import hash_password, verify_password router = APIRouter(prefix="/api/v1/settings", tags=["settings"]) @router.post("/password") def change_password( payload: schemas.PasswordChangeRequest, db: Session = Depends(get_db), user=Depends(get_session_user), ): if not user: raise HTTPException(status.HTTP_401_UNAUTHORIZED) if not verify_password(payload.current_password, user.hashed_password): raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="Current password is incorrect.") user.hashed_password = hash_password(payload.new_password) db.commit() return {"status": "ok"} @router.post("/mfa/enroll/init", response_model=schemas.MfaEnrollInitOut) def mfa_enroll_init(db: Session = Depends(get_db), user=Depends(get_session_user)): if not user: raise HTTPException(status.HTTP_401_UNAUTHORIZED) if user.mfa_enabled: raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="MFA is already enabled.") # A fresh secret each time enrollment is (re)started keeps a stale/abandoned # QR code from ever being usable later. user.mfa_secret = mfa.generate_secret() db.commit() uri = mfa.provisioning_uri(user.mfa_secret, user.email) return schemas.MfaEnrollInitOut(qr_data_url=mfa.qr_data_url(uri), secret=user.mfa_secret) @router.post("/mfa/enroll/verify") def mfa_enroll_verify( payload: schemas.MfaEnrollVerifyRequest, db: Session = Depends(get_db), user=Depends(get_session_user), ): if not user: raise HTTPException(status.HTTP_401_UNAUTHORIZED) if user.mfa_enabled: raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="MFA is already enabled.") if not mfa.verify_code(user.mfa_secret, payload.code): raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="Invalid code. Try again.") user.mfa_enabled = True log_audit(db, tenant_id=user.tenant_id, user_id=user.id, action="mfa_enrolled") db.commit() return {"status": "ok"} @router.post("/mfa/disable") def mfa_disable_submit( payload: schemas.MfaDisableRequest, db: Session = Depends(get_db), user=Depends(get_session_user), ): if not user: raise HTTPException(status.HTTP_401_UNAUTHORIZED) if not verify_password(payload.current_password, user.hashed_password): raise HTTPException(status.HTTP_400_BAD_REQUEST, detail="Current password is incorrect.") user.mfa_enabled = False user.mfa_secret = None log_audit(db, tenant_id=user.tenant_id, user_id=user.id, action="mfa_disabled") db.commit() return {"status": "ok"} |