pypi
diff --git a/‎dev/environment‎
Lines changed: 1 addition & 0 deletions b/‎dev/environment‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/common/db/accounts.py‎
Lines changed: 10 additions & 0 deletions b/‎tests/common/db/accounts.py‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎tests/conftest.py‎
Lines changed: 1 addition & 0 deletions b/‎tests/conftest.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/functional/manage/test_account_publishing.py‎
Lines changed: 9 additions & 1 deletion b/‎tests/functional/manage/test_account_publishing.py‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎tests/functional/manage/test_organization_publishing.py‎
Lines changed: 15 additions & 1 deletion b/‎tests/functional/manage/test_organization_publishing.py‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎tests/functional/manage/test_project_publishing.py‎
Lines changed: 9 additions & 1 deletion b/‎tests/functional/manage/test_project_publishing.py‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎tests/functional/manage/test_views.py‎
Lines changed: 6 additions & 1 deletion b/‎tests/functional/manage/test_views.py‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎tests/functional/test_login.py‎
Lines changed: 86 additions & 0 deletions b/‎tests/functional/test_login.py‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎tests/unit/accounts/test_core.py‎
Lines changed: 5 additions & 0 deletions b/‎tests/unit/accounts/test_core.py‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎tests/unit/accounts/test_models.py‎
Lines changed: 19 additions & 1 deletion b/‎tests/unit/accounts/test_models.py‎
Lines changed: 19 additions & 1 deletion
@@ -59,6 +59,7 @@ TOKEN_PASSWORD_SECRET="an insecure password reset secret key"
 TOKEN_EMAIL_SECRET="an insecure email verification secret key"
 TOKEN_TWO_FACTOR_SECRET="an insecure two-factor auth secret key"
 TOKEN_REMEMBER_DEVICE_SECRET="an insecure remember device auth secret key"
+TOKEN_CONFIRM_LOGIN_SECRET="an insecure confirm login auth secret key"
 
 WAREHOUSE_LEGACY_DOMAIN=pypi.python.org
 
 
@@ -14,8 +14,10 @@
     TermsOfServiceEngagement,
     User,
     UserTermsOfServiceEngagement,
+    UserUniqueLogin,
 )
 
+from ...common.constants import REMOTE_ADDR
 from .base import WarehouseFactory
 
 fake = faker.Faker()
@@ -130,3 +132,11 @@ class Meta:
     # TODO: Replace when factory_boy supports `unique`.
     #  See https://github.com/FactoryBoy/factory_boy/pull/997
     name = factory.Sequence(lambda _: fake.unique.user_name())
+
+
+class UserUniqueLoginFactory(WarehouseFactory):
+    class Meta:
+        model = UserUniqueLogin
+
+    user = factory.SubFactory(UserFactory)
+    ip_address = REMOTE_ADDR
@@ -313,6 +313,7 @@ def get_app_config(database, nondefaults=None):
         "warehouse.prevent_esi": True,
         "warehouse.token": "insecure token",
         "warehouse.ip_salt": "insecure salt",
+        "token.confirm_login.secret": "insecure token",
         "camo.url": "http://localhost:9000/",
         "camo.key": "insecure key",
         "celery.broker_redis_url": "redis://localhost:0/",
 
@@ -7,7 +7,9 @@
 import pytest
 import responses
 
-from tests.common.db.accounts import UserFactory
+from tests.common.constants import REMOTE_ADDR
+from tests.common.db.accounts import UserFactory, UserUniqueLoginFactory
+from warehouse.accounts.models import UniqueLoginStatus
 from warehouse.utils.otp import _get_totp
 
 
@@ -25,6 +27,9 @@ def test_add_pending_github_publisher_succeeds(self, webtest):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
         # Create a response from GitHub API for owner details
         # during form submission validation.
         responses.add(
@@ -101,6 +106,9 @@ def test_add_pending_gitlab_publisher_succeeds(self, webtest):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
 
         # Act: Log in
         login_page = webtest.get("/account/login/", status=HTTPStatus.OK)
 
@@ -7,8 +7,10 @@
 import pytest
 import responses
 
-from tests.common.db.accounts import UserFactory
+from tests.common.constants import REMOTE_ADDR
+from tests.common.db.accounts import UserFactory, UserUniqueLoginFactory
 from tests.common.db.organizations import OrganizationFactory, OrganizationRoleFactory
+from warehouse.accounts.models import UniqueLoginStatus
 from warehouse.organizations.models import OrganizationRoleType
 from warehouse.utils.otp import _get_totp
 
@@ -27,6 +29,9 @@ def test_add_pending_github_publisher_to_organization(self, webtest):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
         organization = OrganizationFactory.create(name="test-organization")
         OrganizationRoleFactory.create(
             user=user,
@@ -109,6 +114,9 @@ def test_add_pending_gitlab_publisher_to_organization(self, webtest):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
         organization = OrganizationFactory.create(name="test-organization")
         OrganizationRoleFactory.create(
             user=user,
@@ -180,6 +188,9 @@ def test_add_pending_google_publisher_to_organization(self, webtest):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
         organization = OrganizationFactory.create(name="test-organization")
         OrganizationRoleFactory.create(
             user=user,
@@ -249,6 +260,9 @@ def test_add_pending_activestate_publisher_to_organization(self, webtest):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
         organization = OrganizationFactory.create(name="test-organization")
         OrganizationRoleFactory.create(
             user=user,
 
@@ -7,8 +7,10 @@
 import pytest
 import responses
 
-from tests.common.db.accounts import UserFactory
+from tests.common.constants import REMOTE_ADDR
+from tests.common.db.accounts import UserFactory, UserUniqueLoginFactory
 from tests.common.db.packaging import ProjectFactory, RoleFactory
+from warehouse.accounts.models import UniqueLoginStatus
 from warehouse.utils.otp import _get_totp
 
 
@@ -28,6 +30,9 @@ def test_add_github_publisher_to_existing_project(self, webtest):
         )
         project = ProjectFactory.create(name="existing-project")
         RoleFactory.create(user=user, project=project, role_name="Owner")
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
 
         # Mock GitHub API for owner validation
         responses.add(
@@ -105,6 +110,9 @@ def test_add_gitlab_publisher_to_existing_project(self, webtest):
         )
         project = ProjectFactory.create(name="gitlab-project")
         RoleFactory.create(user=user, project=project, role_name="Owner")
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
 
         # Act: Log in
         login_page = webtest.get("/account/login/", status=HTTPStatus.OK)
 
@@ -10,14 +10,16 @@
 
 from webob.multidict import MultiDict
 
+from tests.common.constants import REMOTE_ADDR
 from warehouse.accounts.interfaces import IPasswordBreachedService, IUserService
+from warehouse.accounts.models import UniqueLoginStatus
 from warehouse.manage import views
 from warehouse.manage.views import organizations as org_views
 from warehouse.organizations.interfaces import IOrganizationService
 from warehouse.organizations.models import OrganizationType
 from warehouse.utils.otp import _get_totp
 
-from ...common.db.accounts import EmailFactory, UserFactory
+from ...common.db.accounts import EmailFactory, UserFactory, UserUniqueLoginFactory
 
 
 class TestManageAccount:
@@ -52,6 +54,9 @@ def test_changing_password_succeeds(self, webtest, socket_enabled):
             with_terms_of_service_agreement=True,
             clear_pwd="password",
         )
+        UserUniqueLoginFactory.create(
+            user=user, ip_address=REMOTE_ADDR, status=UniqueLoginStatus.CONFIRMED
+        )
 
         # visit login page
         login_page = webtest.get("/account/login/", status=HTTPStatus.OK)
 
@@ -0,0 +1,86 @@
+# SPDX-License-Identifier: Apache-2.0
+
+import time
+
+from http import HTTPStatus
+
+from tests.common.db.accounts import UserFactory
+from warehouse.accounts.models import UniqueLoginStatus, UserUniqueLogin
+from warehouse.utils.otp import _get_totp
+
+
+def test_unrecognized_login_with_totp(webtest):
+    """
+    Tests that a user with TOTP logging in from an unrecognized IP address
+    is required to confirm their email address.
+    """
+
+    # Arrange: Create a user with a verified email and TOTP enabled
+    user = UserFactory.create(
+        with_verified_primary_email=True,
+        clear_pwd="password",
+    )
+
+    # Act 1: Go to the login page
+    login_page = webtest.get("/account/login/")
+    assert login_page.status_code == HTTPStatus.OK
+
+    # Fill out the login form and submit it
+    login_form = login_page.forms["login-form"]
+    login_form["username"] = user.username
+    login_form["password"] = "password"
+    resp = login_form.submit()
+
+    # We should be redirected to the two-factor authentication page
+    assert resp.status_code == HTTPStatus.SEE_OTHER
+    assert resp.headers["Location"].startswith("http://localhost/account/two-factor/")
+    two_factor_page = resp.follow()
+    assert "Two-factor authentication" in two_factor_page
+
+    # This is the first time we're logging in from this IP, so we should
+    # be redirected to the "unrecognized login" page after submitting the
+    # TOTP code.
+    two_factor_form = two_factor_page.forms["totp-auth-form"]
+    two_factor_form["totp_value"] = (
+        _get_totp(user.totp_secret).generate(time.time()).decode()
+    )
+    resp = two_factor_form.submit()
+
+    assert resp.status_code == HTTPStatus.SEE_OTHER
+    assert resp.headers["Location"].endswith("/account/confirm-login/")
+    unrecognized_page = resp.follow()
+    assert "Unrecognized device" in unrecognized_page
+
+    # This is a hack because the functional test doesn't have another way to
+    # determine the magic link that was sent in the email. Instead, find the
+    # UserUniqueLogin that was created for this user and manually confirm it
+    db_session = webtest.extra_environ["warehouse.db_session"]
+    unique_login = (
+        db_session.query(UserUniqueLogin).filter(UserUniqueLogin.user == user).one()
+    )
+    assert unique_login.status == UniqueLoginStatus.PENDING
+    unique_login.status = UniqueLoginStatus.CONFIRMED
+    db_session.commit()
+
+    # Act 2: Try to log in again
+    login_page = webtest.get("/account/login/")
+    login_form = login_page.forms["login-form"]
+    login_form["username"] = user.username
+    login_form["password"] = "password"
+    resp = login_form.submit()
+
+    # We should be redirected to the two-factor authentication page
+    assert resp.status_code == HTTPStatus.SEE_OTHER
+    assert resp.headers["Location"].startswith("http://localhost/account/two-factor/")
+    two_factor_page = resp.follow()
+    assert "Two-factor authentication" in two_factor_page
+
+    # Fill out the TOTP form and submit it
+    two_factor_form = two_factor_page.forms["totp-auth-form"]
+    two_factor_form["totp_value"] = (
+        _get_totp(user.totp_secret).generate(time.time()).decode()
+    )
+
+    # We should be able to successfully log in
+    logged_in = two_factor_form.submit().follow(status=HTTPStatus.OK)
+    assert logged_in.html.find("title", string="Warehouse · The Python Package Index")
@@ -167,6 +167,11 @@ def test_includeme(monkeypatch):
         pretend.call(
             TokenServiceFactory(name="two_factor"), ITokenService, name="two_factor"
         ),
+        pretend.call(
+            TokenServiceFactory(name="confirm_login"),
+            ITokenService,
+            name="confirm_login",
+        ),
         pretend.call(
             TokenServiceFactory(name="remember_device"),
             ITokenService,
 
@@ -7,14 +7,21 @@
 
 from pyramid.authorization import Authenticated
 
-from warehouse.accounts.models import Email, RecoveryCode, User, UserFactory, WebAuthn
+from warehouse.accounts.models import (
+    Email,
+    RecoveryCode,
+    User,
+    UserFactory,
+    WebAuthn,
+)
 from warehouse.authnz import Permissions
 from warehouse.utils.security_policy import principals_for
 
 from ...common.db.accounts import (
     EmailFactory as DBEmailFactory,
     UserEventFactory as DBUserEventFactory,
     UserFactory as DBUserFactory,
+    UserUniqueLoginFactory,
 )
 from ...common.db.packaging import (
     ProjectFactory as DBProjectFactory,
@@ -309,3 +316,14 @@ def test_user_projects_is_ordered_by_name(self, db_session):
         DBRoleFactory.create(project=project3, user=user)
 
         assert user.projects == [project2, project3, project1]
+
+
+class TestUserUniqueLogin:
+    def test_repr(self, db_session):
+        unique_login = UserUniqueLoginFactory.create()
+        assert (
+            repr(unique_login)
+            == f"<UserUniqueLogin(user={unique_login.user.username!r}, "
+            f"ip_address={unique_login.ip_address!r}, "
+            f"status={unique_login.status!r})>"
+        )