how to pull from database and verify?

[P3trol]

using flask i have stored the secret but i am unable to verify it once its stored in the db ?

@auth.route('/login' , methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        otp = int(request.form.get("otp"))
        secret = request.form.get("secret")

        user = User.query.filter_by(username=username).first()

        if user:
            if check_password_hash(user.password, password) and pyotp.TOTP(secret).verify(otp):
                flash('Logged in successfully!', category='success')
                login_user(user, remember=True)
                return redirect(url_for('views.home'))
            else:
                flash('Incorrect password/OTP, try again.', category='error')
        else:
            flash('username does not exist.', category='error')

    return render_template("login.html", user = current_user)

[kislyuk]

It looks like you do not understand the security model of the HOTP/TOTP protocol. It is dangerous to you and your users if you implement security features without understanding the underlying security model.

Open MFA standards are defined in RFC 4226 (HOTP: An HMAC-Based One-Time Password Algorithm) and in RFC 6238 (TOTP: Time-Based One-Time Password Algorithm). PyOTP implements server-side support for both of these standards. Client-side support can be enabled by sending authentication codes to users over SMS or email (HOTP) or, for TOTP, by instructing users to use Google Authenticator, Authy, or another compatible app. Users can set up auth tokens in their apps easily by using their phone camera to scan otpauth:// QR codes provided by PyOTP.

Implementers should read and follow the HOTP security requirements and TOTP security considerations sections of the relevant RFCs.