From 04d4b1b3e7a64038274558e31848ece4358a5a45 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Fri, 19 Dec 2025 12:28:25 -0600
Subject: [PATCH 01/13] bump: clean up, bump deps

---
 config.env.py                       |  12 +-
 docker-compose.yaml                 |   6 +-
 requirements.dev                    |  22 --
 requirements.in                     |  19 ++
 requirements.txt                    | 330 ++++++++++++++++++++--------
 selfservice/__init__.py             |  10 +-
 selfservice/blueprints/recovery.py  |   4 +-
 selfservice/models.py               |   6 +-
 selfservice/templates/recovery.html |   2 +-
 9 files changed, 276 insertions(+), 135 deletions(-)
 delete mode 100644 requirements.dev
 create mode 100644 requirements.in

diff --git a/config.env.py b/config.env.py
index e510b81..cfb8823 100644
--- a/config.env.py
+++ b/config.env.py
@@ -35,12 +35,12 @@
 )
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 
-RECAPTCHA_ENABLED = True
-RECAPTCHA_SITE_KEY = os.environ.get("RECAPTCHA_SITE_KEY", "")
-RECAPTCHA_SECRET_KEY = os.environ.get("RECAPTCHA_SECRET_KEY", "")
-RECAPTCHA_THEME = "light"
-RECAPTCHA_TYPE = "image"
-RECAPTCHA_SIZE = "normal"
+XCAPTCHA_ENABLED = True
+XCAPTCHA_SITE_KEY = os.environ.get("XCAPTCHA_SITE_KEY", "")
+XCAPTCHA_SECRET_KEY = os.environ.get("XCAPTCHA_SECRET_KEY", "")
+XCAPTCHA_THEME = "light"
+XCAPTCHA_TYPE = "image"
+XCAPTCHA_SIZE = "normal"
 
 TWILIO_SID = os.environ.get("TWILIO_SID", "")
 TWILIO_TOKEN = os.environ.get("TWILIO_TOKEN", "")
diff --git a/docker-compose.yaml b/docker-compose.yaml
index e088131..fbc8ff6 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,7 +1,7 @@
 version: '2'
 services:
     postgres:
-        image: postgres:9.6
+        image: docker.io/postgres:9.6
         container_name: selfservice-postgres
         restart: always
         volumes:
@@ -12,7 +12,7 @@ services:
         ports:
             - 127.0.0.1:5433:5432
     phppgadmin:
-        image: bitnami/phppgadmin:latest
+        image: docker.io/dockage/phppgadmin:latest
         container_name: selfservice-pgadmin
         links:
             - postgres
@@ -22,4 +22,4 @@ services:
         restart: always
         ports:
             - 127.0.0.1:8081:8080
-            - 127.0.0.1:8444:8443
\ No newline at end of file
+            - 127.0.0.1:8444:8443
diff --git a/requirements.dev b/requirements.dev
deleted file mode 100644
index 8394dae..0000000
--- a/requirements.dev
+++ /dev/null
@@ -1,22 +0,0 @@
-beautifulsoup4
-black
-bs4
-csh-ldap>=2.2.0
-dill
-dnspython<2.0.0
-Flask
-Flask-Limiter
-Flask-Migrate
-Flask-pyoidc
-Flask-QRcode
-Flask-ReCaptcha
-Flask-SQLAlchemy
-psycopg2
-pylint
-python-freeipa
-python-keycloak
-qrcode
-requests
-sentry-sdk[flask]~=0.13.1
-srvlookup
-twillio
\ No newline at end of file
diff --git a/requirements.in b/requirements.in
new file mode 100644
index 0000000..22a14fc
--- /dev/null
+++ b/requirements.in
@@ -0,0 +1,19 @@
+Flask~=3.1.2
+Flask-pyoidc~=3.14.3
+Flask-Migrate~=4.1.0
+Flask-SQLAlchemy~=3.1.1
+Flask-Limiter~=4.1.1
+Flask-QRcode~=3.2.0
+Flask-xCaptcha~=0.5.5
+srvlookup~=3.0.0
+csh-ldap @ git+https://github.com/costowell/csh_ldap@cole-dev
+python-freeipa~=1.0.10
+python-keycloak~=5.8.1
+sentry-sdk[Flask]
+psycopg2-binary~=2.9.11
+twilio~=9.9.0
+pyotp~=2.9.0
+dill~=0.4.0
+beautifulsoup4~=4.14.3
+passlib~=1.7.4
+xkcdpass~=1.20.0
diff --git a/requirements.txt b/requirements.txt
index ee9be7c..ebe8767 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,93 +1,237 @@
-alabaster==0.7.10
-alembic==0.9.9
-appdirs==1.4.3
-asn1crypto==0.24.0
-aspy.yaml==1.1.1
-astroid==2.4.2
-attrs==18.1.0
-Beaker==1.9.1
-beautifulsoup4==4.9.1
-black==20.8b1
-blinker==1.4
-bs4==0.0.1
-cached-property==1.4.2
-certifi==2018.4.16
-cffi==1.13.2
-cfgv==1.0.0
-chardet==3.0.4
-click==7.1.2
-cryptography==3.2
-csh-ldap==2.3.1
-dataclasses==0.7
-defusedxml==0.6.0
-dill==0.3.2
-distlib==0.3.1
-dnspython==1.16.0
-ecdsa==0.13.3
-filelock==3.0.12
-Flask==1.1.2
-Flask-Limiter==1.4
-Flask-Migrate==2.5.3
-Flask-pyoidc==3.5.1
-Flask-QRcode==3.0.0
-Flask-ReCaptcha==0.4.2
-Flask-SQLAlchemy==2.4.4
-future==0.16.0
-gunicorn==19.8.1
-httmock==1.2.5
-identify==1.0.18
-idna==2.6
-importlib-metadata==1.7.0
-importlib-resources==3.3.0
-isort==4.3.4
-itsdangerous==0.24
-Jinja2==2.10.1
-lazy-object-proxy==1.4.3
-limits==1.3
-Mako==1.0.7
-MarkupSafe==1.0
-mccabe==0.6.1
-mypy-extensions==0.4.3
-nodeenv==1.3.0
-oic==1.1.2
-passlib==1.7.1
-pathspec==0.8.0
-Pillow==6.2.2
-pre-commit==1.10.1
-psycopg2==2.8.5
-pyasn1==0.4.2
-pyasn1-modules==0.2.1
-pycparser==2.18
-pycrypto==2.6.1
-pycryptodomex==3.6.1
-pyjwkest==1.4.0
-PyJWT==1.7.1
-pylint==2.6.0
-pyOpenSSL==18.0.0
-pyotp==2.2.6
-python-dateutil==2.7.3
-python-editor==1.0.3
-python-freeipa==1.0.6
-python-jose==1.4.0
-python-keycloak==0.22.0
-python-ldap~=3.0.0
-pytz==2020.1
-PyYAML==5.4.1
-qrcode==6.1
-regex==2020.7.14
-requests==2.24.0
-sentry-sdk==0.13.5
-six==1.12.0
-soupsieve==2.0.1
-SQLAlchemy==1.3.0
-srvlookup==2.0.0
-toml==0.10.1
-twilio==6.45.1
-typed-ast==1.4.1
-typing-extensions==3.7.4.3
-urllib3==1.24.2
-virtualenv==16.0.0
-Werkzeug==0.15.3
-wrapt==1.11.2
-xkcdpass==1.16.5
-zipp==3.1.0
+# This file was autogenerated by uv via the following command:
+#    uv pip compile requirements.in
+aiofiles==25.1.0
+    # via python-keycloak
+aiohappyeyeballs==2.6.1
+    # via aiohttp
+aiohttp==3.13.2
+    # via
+    #   aiohttp-retry
+    #   twilio
+aiohttp-retry==2.9.1
+    # via twilio
+aiosignal==1.4.0
+    # via aiohttp
+alembic==1.17.2
+    # via flask-migrate
+annotated-types==0.7.0
+    # via pydantic
+anyio==4.12.0
+    # via httpx
+async-property==0.2.2
+    # via python-keycloak
+attrs==25.4.0
+    # via aiohttp
+beautifulsoup4==4.14.3
+    # via -r requirements.in
+blinker==1.9.0
+    # via
+    #   flask
+    #   sentry-sdk
+certifi==2025.11.12
+    # via
+    #   httpcore
+    #   httpx
+    #   requests
+    #   sentry-sdk
+cffi==2.0.0
+    # via cryptography
+charset-normalizer==3.4.4
+    # via requests
+click==8.3.1
+    # via flask
+cryptography==46.0.3
+    # via
+    #   jwcrypto
+    #   oic
+csh-ldap @ git+https://github.com/costowell/csh_ldap@dbc3193482615b4cd52c5d1fb260662ec8157ace
+    # via -r requirements.in
+defusedxml==0.7.1
+    # via oic
+deprecated==1.3.1
+    # via limits
+deprecation==2.1.0
+    # via python-keycloak
+dill==0.4.0
+    # via -r requirements.in
+dnspython==2.8.0
+    # via srvlookup
+flask==3.1.2
+    # via
+    #   -r requirements.in
+    #   flask-limiter
+    #   flask-migrate
+    #   flask-pyoidc
+    #   flask-qrcode
+    #   flask-sqlalchemy
+    #   flask-xcaptcha
+    #   sentry-sdk
+flask-limiter==4.1.1
+    # via -r requirements.in
+flask-migrate==4.1.0
+    # via -r requirements.in
+flask-pyoidc==3.14.3
+    # via -r requirements.in
+flask-qrcode==3.2.0
+    # via -r requirements.in
+flask-sqlalchemy==3.1.1
+    # via
+    #   -r requirements.in
+    #   flask-migrate
+flask-xcaptcha==0.5.5
+    # via -r requirements.in
+frozenlist==1.8.0
+    # via
+    #   aiohttp
+    #   aiosignal
+future==1.0.0
+    # via pyjwkest
+greenlet==3.3.0
+    # via sqlalchemy
+h11==0.16.0
+    # via httpcore
+httpcore==1.0.9
+    # via httpx
+httpx==0.28.1
+    # via python-keycloak
+idna==3.11
+    # via
+    #   anyio
+    #   httpx
+    #   requests
+    #   yarl
+importlib-resources==6.5.2
+    # via flask-pyoidc
+itsdangerous==2.2.0
+    # via flask
+jinja2==3.1.6
+    # via flask
+jwcrypto==1.5.6
+    # via python-keycloak
+limits==5.6.0
+    # via flask-limiter
+mako==1.3.10
+    # via
+    #   alembic
+    #   oic
+markupsafe==3.0.3
+    # via
+    #   flask
+    #   flask-xcaptcha
+    #   jinja2
+    #   mako
+    #   sentry-sdk
+    #   werkzeug
+multidict==6.7.0
+    # via
+    #   aiohttp
+    #   yarl
+oic==1.6.1
+    # via flask-pyoidc
+ordered-set==4.1.0
+    # via flask-limiter
+packaging==25.0
+    # via
+    #   deprecation
+    #   limits
+passlib==1.7.4
+    # via -r requirements.in
+pillow==12.0.0
+    # via flask-qrcode
+propcache==0.4.1
+    # via
+    #   aiohttp
+    #   yarl
+psycopg2-binary==2.9.11
+    # via -r requirements.in
+pyasn1==0.6.1
+    # via
+    #   pyasn1-modules
+    #   python-ldap
+pyasn1-modules==0.4.2
+    # via python-ldap
+pycparser==2.23
+    # via cffi
+pycryptodomex==3.23.0
+    # via
+    #   oic
+    #   pyjwkest
+pydantic==2.12.5
+    # via pydantic-settings
+pydantic-core==2.41.5
+    # via pydantic
+pydantic-settings==2.12.0
+    # via oic
+pyjwkest==1.4.4
+    # via oic
+pyjwt==2.10.1
+    # via twilio
+pyotp==2.9.0
+    # via -r requirements.in
+python-dotenv==1.2.1
+    # via pydantic-settings
+python-freeipa==1.0.10
+    # via -r requirements.in
+python-keycloak==5.8.1
+    # via -r requirements.in
+python-ldap==3.4.5
+    # via csh-ldap
+qrcode==8.2
+    # via flask-qrcode
+requests==2.32.5
+    # via
+    #   flask-pyoidc
+    #   flask-xcaptcha
+    #   oic
+    #   pyjwkest
+    #   python-freeipa
+    #   python-keycloak
+    #   requests-toolbelt
+    #   twilio
+requests-toolbelt==1.0.0
+    # via python-keycloak
+sentry-sdk==2.48.0
+    # via -r requirements.in
+six==1.17.0
+    # via pyjwkest
+soupsieve==2.8.1
+    # via beautifulsoup4
+sqlalchemy==2.0.45
+    # via
+    #   alembic
+    #   flask-sqlalchemy
+srvlookup==3.0.0
+    # via
+    #   -r requirements.in
+    #   csh-ldap
+twilio==9.9.0
+    # via -r requirements.in
+typing-extensions==4.15.0
+    # via
+    #   aiosignal
+    #   alembic
+    #   anyio
+    #   beautifulsoup4
+    #   flask-limiter
+    #   jwcrypto
+    #   limits
+    #   pydantic
+    #   pydantic-core
+    #   sqlalchemy
+    #   typing-inspection
+typing-inspection==0.4.2
+    # via
+    #   pydantic
+    #   pydantic-settings
+urllib3==2.6.2
+    # via
+    #   requests
+    #   sentry-sdk
+werkzeug==3.1.4
+    # via flask
+wrapt==2.0.1
+    # via deprecated
+xkcdpass==1.20.0
+    # via -r requirements.in
+yarl==1.22.0
+    # via aiohttp
diff --git a/selfservice/__init__.py b/selfservice/__init__.py
index f8e2889..ee47b63 100644
--- a/selfservice/__init__.py
+++ b/selfservice/__init__.py
@@ -13,7 +13,7 @@
 from flask import Flask, render_template, request, redirect, url_for, flash
 from flask_pyoidc.flask_pyoidc import OIDCAuthentication
 from flask_pyoidc.provider_configuration import ProviderConfiguration, ClientMetadata
-from flask_recaptcha import ReCaptcha
+from flask_xcaptcha import XCaptcha
 from flask_sqlalchemy import SQLAlchemy
 from python_freeipa import Client
 from flask_limiter import Limiter
@@ -52,9 +52,9 @@
 
 migrate = Migrate(app, db)
 
-# Create recaptcha object
-recaptcha = ReCaptcha()
-recaptcha.init_app(app)
+# Create xcaptcha object
+if app.config["XCAPTCHA_ENABLED"]:
+    xcaptcha = XCaptcha(app=app)
 
 # OIDC Initialization
 OIDC_PROVIDER = "csh"
@@ -77,7 +77,7 @@
 # Configure rate limiting
 if not app.config["DEBUG"]:
     limiter = Limiter(
-        app, key_func=get_remote_address, default_limits=["50 per day", "10 per hour"]
+        get_remote_address, app=app, default_limits=["50 per day", "10 per hour"]
     )
 
 # Initialize QR Code Generator
diff --git a/selfservice/blueprints/recovery.py b/selfservice/blueprints/recovery.py
index 1efbb1b..addc6ba 100644
--- a/selfservice/blueprints/recovery.py
+++ b/selfservice/blueprints/recovery.py
@@ -18,7 +18,7 @@
 from selfservice.utilities.ldap import verif_methods, get_members
 
 from selfservice.models import RecoverySession, PhoneVerification, ResetToken
-from selfservice import db, auth, recaptcha, ldap, version, OIDC_PROVIDER
+from selfservice import db, auth, xcaptcha, ldap, version, OIDC_PROVIDER
 
 LOG = logging.getLogger(__name__)
 
@@ -35,7 +35,7 @@ def create_session():
     if request.method == "GET":
         return render_template("recovery.html", version=version)
 
-    if recaptcha.verify():
+    if xcaptcha.verify():
 
         # If we can't find an account, flash error.
         try:
diff --git a/selfservice/models.py b/selfservice/models.py
index 7e73bc5..e7f9916 100644
--- a/selfservice/models.py
+++ b/selfservice/models.py
@@ -9,7 +9,7 @@
     ForeignKey,
     DateTime,
     Boolean,
-    Binary,
+    LargeBinary,
     func,
 )
 from selfservice import db
@@ -62,8 +62,8 @@ class OTPSession(db.Model):
 
     __tablename__ = "otp_session"
     secret = Column(String(100), primary_key=True)
-    form = Column(Binary)
-    session = Column(Binary)
+    form = Column(LargeBinary)
+    session = Column(LargeBinary)
 
 
 class AppSpecificPassword(db.Model):
diff --git a/selfservice/templates/recovery.html b/selfservice/templates/recovery.html
index 6d186b1..743eb2f 100644
--- a/selfservice/templates/recovery.html
+++ b/selfservice/templates/recovery.html
@@ -17,7 +17,7 @@ <h3 class="card-title">Account Recovery</h3>
 		</p>
 		<form action="/recovery" method="post">
 			<input type="text" class="form-control mb-2" id="username" name="username" placeholder="CSH Username">
-			{{recaptcha}}
+			{{xcaptcha}}
 			<div style="width: 100%; text-align: right;">
 				<button type="submit" class="btn btn-info mt-2">
 					Next <i class="fas fa-chevron-right"></i>

From b910ebf52fc5a4a0539554010f9d933b6f86fd60 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 14:40:26 -0500
Subject: [PATCH 02/13] feat: switch to using custom keycloak API

---
 selfservice/blueprints/otp.py     |  40 +++-----
 selfservice/utilities/keycloak.py | 157 +++++++++++++++++++-----------
 selfservice/utilities/ldap.py     |   5 +
 3 files changed, 117 insertions(+), 85 deletions(-)

diff --git a/selfservice/blueprints/otp.py b/selfservice/blueprints/otp.py
index d17ce04..cf46510 100644
--- a/selfservice/blueprints/otp.py
+++ b/selfservice/blueprints/otp.py
@@ -12,14 +12,14 @@
 
 from selfservice.utilities.keycloak import (
     OTPConfigError,
-    create_kc_otp,
-    confirm_kc_otp,
+    get_kc_otp_is_registered,
+    generate_kc_otp,
+    register_kc_otp,
     OTPAlreadyConfigured,
     delete_kc_otp,
 )
-from selfservice.utilities.ldap import create_ipa_otp, delete_ipa_otp
+from selfservice.utilities.ldap import create_ipa_otp, has_ipa_otp, delete_ipa_otp
 from selfservice.utilities.app_passwd import set_app_passwd, delete_app_passwd
-from selfservice.models import OTPSession
 from selfservice import version, auth, db, OIDC_PROVIDER
 
 otp_bp = Blueprint("otp", __name__)
@@ -39,19 +39,13 @@ def enable():
     otp_code = request.form.get("otp-code", default="")
 
     if request.method == "GET":
-        try:
-            session, form_data, secret = create_kc_otp(username)
-
-            save_session = OTPSession(
-                secret=secret,
-                form=pickle.dumps(form_data),
-                session=pickle.dumps(session),
-            )
-            db.session.add(save_session)
-            db.session.commit()
-        except OTPAlreadyConfigured:
+        # If already registered *somewhere*
+        print(get_kc_otp_is_registered(username))
+        print(has_ipa_otp(username))
+        if get_kc_otp_is_registered(username) or has_ipa_otp(username):
             return render_template("otp.html", version=version, configured=True)
 
+        secret = generate_kc_otp(username)
         otp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
             "{}@csh.rit.edu".format(username), issuer_name="CSH"
         )
@@ -60,31 +54,25 @@ def enable():
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )
 
-    otp_session = OTPSession.query.filter_by(secret=secret).first()
-
-    if not secret or not otp_session:
+    if not secret:
         flash("Invalid secret provided. Please try again.")
         return redirect("/otp")
     if not otp_code:
         flash("No one time password provided. Please scan the code and try again.")
         return redirect("/otp".format(secret))
 
-    session = pickle.loads(otp_session.session)
-    form = pickle.loads(otp_session.form)
-
     try:
-        confirm_kc_otp(session, form)
+        register_kc_otp(username, secret, otp_code)
     except OTPConfigError:
         flash("Invalid one time code provided or session expired.")
         return redirect("/otp")
+    except OTPAlreadyConfigured:
+        flash("2FA already configured.")
+        return redirect("/otp")
 
     create_ipa_otp(username, secret)
     app_passwd = set_app_passwd(username)
 
-    # Clean up used session data
-    OTPSession.query.filter_by(secret=secret).delete()
-    db.session.commit()
-
     return render_template(
         "otp.html", version=version, configured=True, passwd=app_passwd
     )
diff --git a/selfservice/utilities/keycloak.py b/selfservice/utilities/keycloak.py
index 6030448..c68ad7c 100644
--- a/selfservice/utilities/keycloak.py
+++ b/selfservice/utilities/keycloak.py
@@ -6,7 +6,7 @@
 import logging
 
 from bs4 import BeautifulSoup
-from keycloak import KeycloakAdmin
+from keycloak import KeycloakAdmin, KeycloakOpenID
 import requests
 import pyotp
 
@@ -14,6 +14,14 @@
 
 LOG = logging.getLogger(__name__)
 
+DEVICE_NAME = "SelfService"
+
+class OTPNotConfigured(Exception):
+    """
+    Error for accounts who don't have OTP configured.
+    """
+
+    pass
 
 class OTPAlreadyConfigured(Exception):
     """
@@ -40,7 +48,7 @@ def generate_otp(secret):
     return code
 
 
-def get_kc_cookies(username):
+def get_kc_user_id(username):
     """
     Login as Keycloak Admin and Impersonate User
 
@@ -59,46 +67,52 @@ def get_kc_cookies(username):
         "admin/realms/csh/users?first=0&max=20&search={}@csh.rit.edu".format(username)
     )
     user_id = json.loads(user.text)[0]["id"]
-    imp = conn.raw_post(
-        "admin/realms/csh/users/{}/impersonation".format(user_id),
-        data=json.dumps({"user": user_id, "realm": "csh"}),
+    return user_id
+
+def get_kc_service_account_token():
+    """
+    Get an auth token for the OIDC client's associated service account
+    """
+
+    keycloak_openid = KeycloakOpenID(
+        server_url="https://sso.csh.rit.edu/auth/",
+        realm_name="csh",
+        client_id=app.config["OIDC_CLIENT_CONFIG"]["client_id"],
+        client_secret_key=app.config["OIDC_CLIENT_CONFIG"]["client_secret"],
+        verify=True
     )
-    return imp.cookies
+    token = keycloak_openid.token(grant_type="client_credentials")
+    return token["access_token"]
+
+def get_kc_otp_is_registered(username):
+    user_id = get_kc_user_id(username)
+    token = get_kc_service_account_token()
+    response = requests.get(
+        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/isRegistered/{DEVICE_NAME}",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    return response.ok
 
 
-def create_kc_otp(username):
+def generate_kc_otp(username):
     """
     Use session to generate a OTP Secret
 
     Keyword arguments:
     username -- Username of account to generate secret for
     """
-    session = requests.Session()
-    session.cookies = get_kc_cookies(username)
-    page = session.get(
-        "https://sso.csh.rit.edu/auth/realms/csh/account/totp?mode=manual"
-    )
-
-    # Check if the user already has OTP configured
-    if "Configured Authenticators" in page.text:
-        raise OTPAlreadyConfigured
 
-    soup = BeautifulSoup(page.text, "html.parser")
-    key = soup.find("span", {"id": "kc-totp-secret-key"})
-    parsed_key = key.text.replace(" ", "")
-    state_checker = soup.find("input", {"id": "stateChecker"}).get("value")
-    secret = soup.find("input", {"id": "totpSecret"}).get("value")
-    form_data = {
-        "userLabel": "Self-Service TOTP",
-        "stateChecker": state_checker,
-        "totp": generate_otp(parsed_key),
-        "totpSecret": secret,
-        "submitAction": "Save",
-    }
-    return session, form_data, parsed_key
+    user_id = get_kc_user_id(username)
+    token = get_kc_service_account_token()
+    response = requests.get(
+        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/generate",
+        headers={"Authorization": f"Bearer {token}"}
+    )
+    response.raise_for_status()
+    return response.json()['encodedSecret']
 
 
-def confirm_kc_otp(session, form_data):
+def register_kc_otp(username, secret, otp_code):
     """
     Confirm the key given by the user.
 
@@ -106,14 +120,36 @@ def confirm_kc_otp(session, form_data):
     session -- Session object with Keycloak cookies
     form_data -- Form validation information
     """
-    save = session.post(
-        "https://sso.csh.rit.edu/auth/realms/csh/account/totp", data=form_data
+    user_id = get_kc_user_id(username)
+    token = get_kc_service_account_token()
+
+    response = requests.post(
+        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/register",
+        headers={
+            "Authorization": f"Bearer {token}",
+            "Content-Type": "application/json"
+        },
+        json={
+            "encodedSecret": secret,
+            "initialCode": otp_code,
+            "deviceName": DEVICE_NAME,
+            "overwrite": False
+        }
     )
-
-    if "Configured Authenticators" not in save.text:
-        raise OTPConfigError
-
-
+    resp = response.json()
+
+    if "message" in resp:
+        match resp["message"]:
+            case "TOTP credential already exists":
+                raise OTPAlreadyConfigured()
+            case "Invalid secret":
+                raise OTPConfigError()
+            case "Invalid request":
+                raise OTPConfigError()
+
+    if not response.ok:
+        app.logger.error(resp.text)
+        response.raise_for_status()
 def delete_kc_otp(username):
     """
     Remove two-factor information from Keycloak account
@@ -121,26 +157,29 @@ def delete_kc_otp(username):
     Keyword arguments:
     username -- Username of account to manipulate
     """
-    session = requests.Session()
-    session.cookies = get_kc_cookies(username)
-    page = session.get(
-        "https://sso.csh.rit.edu/auth/realms/csh/account/totp?mode=manual"
-    )
-    soup = BeautifulSoup(page.text, "html.parser")
-    state_checker = soup.find("input", {"id": "stateChecker"}).get("value")
-    credential_id = soup.find("input", {"id": "credentialId"}).get("value")
-    form_data = {
-        "credentialId": credential_id,
-        "stateChecker": state_checker,
-        "submitAction": "Delete",
-    }
-    delete = session.post(
-        "https://sso.csh.rit.edu/auth/realms/csh/account/totp", data=form_data
+    user_id = get_kc_user_id(username)
+    token = get_kc_service_account_token()
+
+    response = requests.post(
+        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/unregister",
+        headers={
+            "Authorization": f"Bearer {token}",
+            "Content-Type": "application/json"
+        },
+        json={
+            "deviceName": DEVICE_NAME,
+        }
     )
-    LOG.info(delete.text)
-    check = session.get(
-        "https://sso.csh.rit.edu/auth/realms/csh/account/totp?mode=manual"
-    )
-
-    if "Configured Authenticators" in check.text:
-        raise OTPConfigError
+    resp = response.json()
+
+    if "message" in resp:
+        print(resp)
+        match resp["message"]:
+            case "TOTP credential not found":
+                raise OTPNotConfigured()
+            case "Invalid request":
+                raise OTPConfigError()
+
+    if not response.ok:
+        app.logger.error(resp)
+        response.raise_for_status()
diff --git a/selfservice/utilities/ldap.py b/selfservice/utilities/ldap.py
index 9657061..709eb23 100644
--- a/selfservice/utilities/ldap.py
+++ b/selfservice/utilities/ldap.py
@@ -92,6 +92,11 @@ def create_ipa_otp(username, secret):
     data = {"ipatokenowner": username, "ipatokenotpkey": secret}
     ipa._request("otptoken_add", params=data)
 
+def has_ipa_otp(username):
+    ipa_login()
+    token_info = ipa._request("otptoken_find", params={"ipatokenowner": username})
+    return len(token_info["result"]) > 0
+
 
 def delete_ipa_otp(username):
     """

From dfdeffc8dc7f7f9927e6148b42a100e2fb2d60bc Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 14:40:47 -0500
Subject: [PATCH 03/13] fix: migration Binary -> LargeBinary

Name was changed in new version of SQLAlchemy
---
 migrations/versions/a83f363599a0_.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/migrations/versions/a83f363599a0_.py b/migrations/versions/a83f363599a0_.py
index 959c8e8..6441be0 100644
--- a/migrations/versions/a83f363599a0_.py
+++ b/migrations/versions/a83f363599a0_.py
@@ -20,8 +20,8 @@ def upgrade():
     # ### commands auto generated by Alembic - please adjust! ###
     op.create_table('otp_session',
     sa.Column('secret', sa.String(length=100), nullable=False),
-    sa.Column('form', sa.Binary(), nullable=True),
-    sa.Column('session', sa.Binary(), nullable=True),
+    sa.Column('form', sa.LargeBinary(), nullable=True),
+    sa.Column('session', sa.LargeBinary(), nullable=True),
     sa.PrimaryKeyConstraint('secret')
     )
     op.create_table('session',

From 6aa973cd297a353acd071ca8c3257eb9fe6acb65 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 14:45:14 -0500
Subject: [PATCH 04/13] fix: oops

---
 selfservice/utilities/keycloak.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/selfservice/utilities/keycloak.py b/selfservice/utilities/keycloak.py
index c68ad7c..e05a2c0 100644
--- a/selfservice/utilities/keycloak.py
+++ b/selfservice/utilities/keycloak.py
@@ -148,7 +148,7 @@ def register_kc_otp(username, secret, otp_code):
                 raise OTPConfigError()
 
     if not response.ok:
-        app.logger.error(resp.text)
+        app.logger.error(response.text)
         response.raise_for_status()
 def delete_kc_otp(username):
     """
@@ -173,7 +173,6 @@ def delete_kc_otp(username):
     resp = response.json()
 
     if "message" in resp:
-        print(resp)
         match resp["message"]:
             case "TOTP credential not found":
                 raise OTPNotConfigured()
@@ -181,5 +180,5 @@ def delete_kc_otp(username):
                 raise OTPConfigError()
 
     if not response.ok:
-        app.logger.error(resp)
+        app.logger.error(response.text)
         response.raise_for_status()

From ca5f82fe140ee38a4f291d4fcf8798317346a2d3 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 14:54:00 -0500
Subject: [PATCH 05/13] fix: handle invalid otp code, handle errors better

---
 selfservice/blueprints/otp.py     | 17 ++++++++++++++---
 selfservice/utilities/keycloak.py |  8 ++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/selfservice/blueprints/otp.py b/selfservice/blueprints/otp.py
index cf46510..b272b50 100644
--- a/selfservice/blueprints/otp.py
+++ b/selfservice/blueprints/otp.py
@@ -12,10 +12,11 @@
 
 from selfservice.utilities.keycloak import (
     OTPConfigError,
+    OTPInvalidCode,
+    OTPAlreadyConfigured,
     get_kc_otp_is_registered,
     generate_kc_otp,
     register_kc_otp,
-    OTPAlreadyConfigured,
     delete_kc_otp,
 )
 from selfservice.utilities.ldap import create_ipa_otp, has_ipa_otp, delete_ipa_otp
@@ -54,17 +55,27 @@ def enable():
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )
 
+    otp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
+        "{}@csh.rit.edu".format(username), issuer_name="CSH"
+    )
     if not secret:
         flash("Invalid secret provided. Please try again.")
         return redirect("/otp")
     if not otp_code:
         flash("No one time password provided. Please scan the code and try again.")
-        return redirect("/otp".format(secret))
+        return render_template(
+            "otp.html", version=version, otp_uri=otp_uri, secret=secret
+        )
 
     try:
         register_kc_otp(username, secret, otp_code)
+    except OTPInvalidCode:
+        flash("One time password provided did not match expected value. Please scan the code and try again.")
+        return render_template(
+            "otp.html", version=version, otp_uri=otp_uri, secret=secret
+        )
     except OTPConfigError:
-        flash("Invalid one time code provided or session expired.")
+        flash("Invalid secret, try again.")
         return redirect("/otp")
     except OTPAlreadyConfigured:
         flash("2FA already configured.")
diff --git a/selfservice/utilities/keycloak.py b/selfservice/utilities/keycloak.py
index e05a2c0..6a4e620 100644
--- a/selfservice/utilities/keycloak.py
+++ b/selfservice/utilities/keycloak.py
@@ -16,6 +16,12 @@
 
 DEVICE_NAME = "SelfService"
 
+class OTPInvalidCode(Exception):
+    """
+    Error when the initial code does not match expected. 
+    """
+    pass
+
 class OTPNotConfigured(Exception):
     """
     Error for accounts who don't have OTP configured.
@@ -140,6 +146,8 @@ def register_kc_otp(username, secret, otp_code):
 
     if "message" in resp:
         match resp["message"]:
+            case "Invalid initial TOTP code":
+                raise OTPInvalidCode()
             case "TOTP credential already exists":
                 raise OTPAlreadyConfigured()
             case "Invalid secret":

From 37f3277470c78cf96dcd1b1134b8aa11d261cce0 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 14:56:22 -0500
Subject: [PATCH 06/13] clean: replace with OIDC_ISSUER

---
 selfservice/utilities/keycloak.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/selfservice/utilities/keycloak.py b/selfservice/utilities/keycloak.py
index 6a4e620..adb03ca 100644
--- a/selfservice/utilities/keycloak.py
+++ b/selfservice/utilities/keycloak.py
@@ -94,7 +94,7 @@ def get_kc_otp_is_registered(username):
     user_id = get_kc_user_id(username)
     token = get_kc_service_account_token()
     response = requests.get(
-        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/isRegistered/{DEVICE_NAME}",
+        f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/isRegistered/{DEVICE_NAME}",
         headers={"Authorization": f"Bearer {token}"}
     )
     return response.ok
@@ -111,7 +111,7 @@ def generate_kc_otp(username):
     user_id = get_kc_user_id(username)
     token = get_kc_service_account_token()
     response = requests.get(
-        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/generate",
+        f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/generate",
         headers={"Authorization": f"Bearer {token}"}
     )
     response.raise_for_status()
@@ -130,7 +130,7 @@ def register_kc_otp(username, secret, otp_code):
     token = get_kc_service_account_token()
 
     response = requests.post(
-        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/register",
+        f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/register",
         headers={
             "Authorization": f"Bearer {token}",
             "Content-Type": "application/json"
@@ -169,7 +169,7 @@ def delete_kc_otp(username):
     token = get_kc_service_account_token()
 
     response = requests.post(
-        f"https://sso.csh.rit.edu/auth/realms/csh/totp-api/{user_id}/unregister",
+        f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/unregister",
         headers={
             "Authorization": f"Bearer {token}",
             "Content-Type": "application/json"

From 2232cad551cd22c9a6b59d15f063df6c84f2d331 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 14:57:51 -0500
Subject: [PATCH 07/13] feat: add PR template

---
 .github/pull_request_template.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..1cd3021
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,19 @@
+## What
+
+_what the PR changes_
+
+## Why
+
+_why these changes were made_
+
+## Test Plan
+
+_how did you verify these changes did what you expected_
+
+## Env Vars
+
+_did you add, remove, or rename any environment variables_
+
+## Checklist
+
+- [ ] Tested all changes locally

From f8bcfae48eafb3a646f45014abcc5eaa45da18d7 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 15:04:33 -0500
Subject: [PATCH 08/13] fix: better logging

---
 selfservice/blueprints/otp.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/selfservice/blueprints/otp.py b/selfservice/blueprints/otp.py
index b272b50..c02659a 100644
--- a/selfservice/blueprints/otp.py
+++ b/selfservice/blueprints/otp.py
@@ -40,10 +40,15 @@ def enable():
     otp_code = request.form.get("otp-code", default="")
 
     if request.method == "GET":
+        kc_registered = get_kc_otp_is_registered(username)
+        ipa_registered = has_ipa_otp(username)
+
+        # If its registered in one place but not the other
+        if kc_registered != ipa_registered:
+            LOG.warn(f"{username} does not have TOTP in both Keycloak and LDAP (kc_registered={kc_registered}, ipa_registered={ipa_registered})")
+
         # If already registered *somewhere*
-        print(get_kc_otp_is_registered(username))
-        print(has_ipa_otp(username))
-        if get_kc_otp_is_registered(username) or has_ipa_otp(username):
+        if kc_registered or ipa_registered:
             return render_template("otp.html", version=version, configured=True)
 
         secret = generate_kc_otp(username)

From bf49c5e38efe2012de875db940cfa5a7eed7579f Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 15:17:56 -0500
Subject: [PATCH 09/13] clean: remove unused deps

---
 requirements.in                   | 2 --
 requirements.txt                  | 7 -------
 selfservice/blueprints/otp.py     | 1 -
 selfservice/utilities/keycloak.py | 2 +-
 4 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/requirements.in b/requirements.in
index 22a14fc..844a7d9 100644
--- a/requirements.in
+++ b/requirements.in
@@ -13,7 +13,5 @@ sentry-sdk[Flask]
 psycopg2-binary~=2.9.11
 twilio~=9.9.0
 pyotp~=2.9.0
-dill~=0.4.0
-beautifulsoup4~=4.14.3
 passlib~=1.7.4
 xkcdpass~=1.20.0
diff --git a/requirements.txt b/requirements.txt
index ebe8767..8378454 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -22,8 +22,6 @@ async-property==0.2.2
     # via python-keycloak
 attrs==25.4.0
     # via aiohttp
-beautifulsoup4==4.14.3
-    # via -r requirements.in
 blinker==1.9.0
     # via
     #   flask
@@ -52,8 +50,6 @@ deprecated==1.3.1
     # via limits
 deprecation==2.1.0
     # via python-keycloak
-dill==0.4.0
-    # via -r requirements.in
 dnspython==2.8.0
     # via srvlookup
 flask==3.1.2
@@ -194,8 +190,6 @@ sentry-sdk==2.48.0
     # via -r requirements.in
 six==1.17.0
     # via pyjwkest
-soupsieve==2.8.1
-    # via beautifulsoup4
 sqlalchemy==2.0.45
     # via
     #   alembic
@@ -211,7 +205,6 @@ typing-extensions==4.15.0
     #   aiosignal
     #   alembic
     #   anyio
-    #   beautifulsoup4
     #   flask-limiter
     #   jwcrypto
     #   limits
diff --git a/selfservice/blueprints/otp.py b/selfservice/blueprints/otp.py
index c02659a..30ed51f 100644
--- a/selfservice/blueprints/otp.py
+++ b/selfservice/blueprints/otp.py
@@ -7,7 +7,6 @@
 
 from flask import Blueprint, render_template, request, redirect, flash
 from flask import session as flask_session
-import dill as pickle
 
 
 from selfservice.utilities.keycloak import (
diff --git a/selfservice/utilities/keycloak.py b/selfservice/utilities/keycloak.py
index adb03ca..1c6c7c1 100644
--- a/selfservice/utilities/keycloak.py
+++ b/selfservice/utilities/keycloak.py
@@ -5,7 +5,6 @@
 import json
 import logging
 
-from bs4 import BeautifulSoup
 from keycloak import KeycloakAdmin, KeycloakOpenID
 import requests
 import pyotp
@@ -158,6 +157,7 @@ def register_kc_otp(username, secret, otp_code):
     if not response.ok:
         app.logger.error(response.text)
         response.raise_for_status()
+
 def delete_kc_otp(username):
     """
     Remove two-factor information from Keycloak account

From fd0fc0e16b25d22508187be09b3b6ef27bed0945 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 15:36:03 -0500
Subject: [PATCH 10/13] clean: remove OTPSession table

---
 .../fdb69cd98e19_remove_otpsession_table.py   | 33 +++++++++++++++++++
 selfservice/models.py                         | 13 --------
 2 files changed, 33 insertions(+), 13 deletions(-)
 create mode 100644 migrations/versions/fdb69cd98e19_remove_otpsession_table.py

diff --git a/migrations/versions/fdb69cd98e19_remove_otpsession_table.py b/migrations/versions/fdb69cd98e19_remove_otpsession_table.py
new file mode 100644
index 0000000..6d03ce6
--- /dev/null
+++ b/migrations/versions/fdb69cd98e19_remove_otpsession_table.py
@@ -0,0 +1,33 @@
+"""Remove OTPSession table
+
+Revision ID: fdb69cd98e19
+Revises: a541afdca952
+Create Date: 2025-12-21 15:34:01.851353
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = 'fdb69cd98e19'
+down_revision = 'a541afdca952'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('otp_session')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('otp_session',
+    sa.Column('secret', sa.VARCHAR(length=100), autoincrement=False, nullable=False),
+    sa.Column('form', postgresql.BYTEA(), autoincrement=False, nullable=True),
+    sa.Column('session', postgresql.BYTEA(), autoincrement=False, nullable=True),
+    sa.PrimaryKeyConstraint('secret', name=op.f('otp_session_pkey'))
+    )
+    # ### end Alembic commands ###
diff --git a/selfservice/models.py b/selfservice/models.py
index e7f9916..4dc74fa 100644
--- a/selfservice/models.py
+++ b/selfservice/models.py
@@ -53,19 +53,6 @@ class PhoneVerification(db.Model):
     code = Column(String(6), primary_key=True)
     session = Column(String(36), ForeignKey("session.id"))
 
-
-class OTPSession(db.Model):
-    """
-    Once an OTP secret has been generated for a user, we pickle their session
-    so that we can retrieve it and eventually verify their token.
-    """
-
-    __tablename__ = "otp_session"
-    secret = Column(String(100), primary_key=True)
-    form = Column(LargeBinary)
-    session = Column(LargeBinary)
-
-
 class AppSpecificPassword(db.Model):
     """
     Allows users to authenticate to applications that don't support two factor

From 29ed5a397ee0ac070240f17356a3298a2c6f76ff Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 15:55:49 -0500
Subject: [PATCH 11/13] bump: CI

---
 .github/workflows/python-app.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
index 62b63ea..bf376a9 100644
--- a/.github/workflows/python-app.yml
+++ b/.github/workflows/python-app.yml
@@ -18,10 +18,10 @@ jobs:
     - name: Install ldap dependencies
       run: sudo apt-get install libldap2-dev libsasl2-dev
     - uses: actions/checkout@v2
-    - name: Set up Python 3.6
+    - name: Set up Python 3.13
       uses: actions/setup-python@v2
       with:
-        python-version: 3.6
+        python-version: 3.13
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip

From 23f91e2b38d75a5556b5b43c96b98baaa8c3e651 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 15:56:02 -0500
Subject: [PATCH 12/13] feat: add Dockerfile

---
 Dockerfile       | 20 ++++++++++++++++++++
 requirements.in  |  1 +
 requirements.txt |  3 +++
 3 files changed, 24 insertions(+)
 create mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..955f438
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,20 @@
+FROM docker.io/python:3.13-slim
+MAINTAINER Computer Science House <webmaster@csh.rit.edu>
+
+RUN mkdir /opt/selfservice
+
+ADD requirements.txt /opt/selfservice
+
+WORKDIR /opt/selfservice
+
+RUN apt-get -yq update && \
+    apt-get -yq install libsasl2-dev libldap2-dev libldap-common libssl-dev git gcc g++ make && \
+    pip install -r requirements.txt && \
+    apt-get -yq clean all
+
+ADD . /opt/selfservice
+
+EXPOSE 8080
+
+CMD ["gunicorn", "selfservice:app", "--bind=0.0.0.0:8080", "--access-logfile=-", "--timeout=256"]
+
diff --git a/requirements.in b/requirements.in
index 844a7d9..973175f 100644
--- a/requirements.in
+++ b/requirements.in
@@ -15,3 +15,4 @@ twilio~=9.9.0
 pyotp~=2.9.0
 passlib~=1.7.4
 xkcdpass~=1.20.0
+gunicorn~=23.0.0
diff --git a/requirements.txt b/requirements.txt
index 8378454..7c9031a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -84,6 +84,8 @@ future==1.0.0
     # via pyjwkest
 greenlet==3.3.0
     # via sqlalchemy
+gunicorn==23.0.0
+    # via -r requirements.in
 h11==0.16.0
     # via httpcore
 httpcore==1.0.9
@@ -129,6 +131,7 @@ ordered-set==4.1.0
 packaging==25.0
     # via
     #   deprecation
+    #   gunicorn
     #   limits
 passlib==1.7.4
     # via -r requirements.in

From 77a2bda93f0ea6af2a6beb91920a83b32b030757 Mon Sep 17 00:00:00 2001
From: Cole Stowell <cole@stowell.pro>
Date: Sun, 21 Dec 2025 16:32:39 -0500
Subject: [PATCH 13/13] fix: format and lint

---
 .pylintrc                          | 74 +++++++-----------------------
 requirements.in                    |  2 +
 requirements.txt                   | 29 +++++++++++-
 selfservice/__init__.py            |  2 +
 selfservice/blueprints/otp.py      | 24 +++++++---
 selfservice/blueprints/recovery.py |  6 +--
 selfservice/models.py              |  6 +--
 selfservice/utilities/keycloak.py  | 39 +++++++++++-----
 selfservice/utilities/ldap.py      | 15 ++++--
 selfservice/utilities/reset.py     | 10 ++--
 10 files changed, 117 insertions(+), 90 deletions(-)

diff --git a/.pylintrc b/.pylintrc
index e8fdc7e..05e557d 100644
--- a/.pylintrc
+++ b/.pylintrc
@@ -16,7 +16,7 @@ persistent=yes
 
 # List of plugins (as comma separated values of python modules names) to load,
 # usually to register additional checkers.
-load-plugins=
+#load-plugins=
 
 # Use multiple processes to speed up Pylint.
 jobs=1
@@ -28,14 +28,14 @@ unsafe-load-any-extension=no
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may
 # run arbitrary code
-extension-pkg-whitelist=
+#extension-pkg-whitelist=
 
 
 [MESSAGES CONTROL]
 
 # Only show warnings with the listed confidence levels. Leave empty to show
 # all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
-confidence=
+#confidence=
 
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option
@@ -62,12 +62,11 @@ disable=
     too-few-public-methods,
     no-member,
     too-many-format-args,
-    bad-continuation,
     bare-except,
     inconsistent-return-statements,
     no-name-in-module,
     cyclic-import,
-    unnecessary-pass,
+    unnecessary-pass
 
 
 [REPORTS]
@@ -77,11 +76,6 @@ disable=
 # mypackage.mymodule.MyReporterClass.
 output-format=text
 
-# Put messages in a separate file for each module / package specified on the
-# command line instead of printing them on stdout. Reports (if any) will be
-# written in a file name "pylint_global.[txt|html]".
-files-output=no
-
 # Tells whether to display a full report or only the messages
 reports=no
 
@@ -136,7 +130,7 @@ dummy-variables-rgx=_$|dummy
 
 # List of additional names supposed to be defined in builtins. Remember that
 # you should avoid to define new builtins when possible.
-additional-builtins=
+#additional-builtins=
 
 # List of strings which can identify a callback function by name. A callback
 # name must start or end with one of those strings.
@@ -155,9 +149,6 @@ ignore-long-lines=^\s*(# )?<?https?://\S+>?$
 # else.
 single-line-if-stmt=no
 
-# List of optional constructs for which whitespace checking is disabled
-no-space-check=trailing-comma,dict-separator
-
 # Maximum number of lines in a module
 max-module-lines=2000
 
@@ -169,14 +160,11 @@ indent-string='    '
 indent-after-paren=4
 
 # Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
-expected-line-ending-format=
+#expected-line-ending-format=
 
 
 [BASIC]
 
-# List of builtins function names that should not be used, separated by a comma
-bad-functions=map,filter,input
-
 # Good variable names which should always be accepted, separated by a comma
 good-names=i,j,k,ex,Run,_
 
@@ -185,7 +173,7 @@ bad-names=foo,bar,baz,toto,tutu,tata
 
 # Colon-delimited sets of names that determine each other's naming style when
 # the name regexes allow several styles.
-name-group=
+#name-group=
 
 # Include a hint for the correct naming format with invalid-name
 include-naming-hint=no
@@ -193,63 +181,33 @@ include-naming-hint=no
 # Regular expression matching correct function names
 function-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for function names
-function-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct variable names
 variable-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for variable names
-variable-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct constant names
 const-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for constant names
-const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$
-
 # Regular expression matching correct attribute names
 attr-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for attribute names
-attr-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct argument names
 argument-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for argument names
-argument-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct class attribute names
 class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
 
-# Naming hint for class attribute names
-class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
-
 # Regular expression matching correct inline iteration names
 inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
 
-# Naming hint for inline iteration names
-inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
-
 # Regular expression matching correct class names
 class-rgx=[A-Z_][a-zA-Z0-9]+$
 
-# Naming hint for class names
-class-name-hint=[A-Z_][a-zA-Z0-9]+$
-
 # Regular expression matching correct module names
 module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
 
-# Naming hint for module names
-module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
-
 # Regular expression matching correct method names
 method-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for method names
-method-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression which should only match function or class names that do
 # not require a docstring.
 no-docstring-rgx=__.*__
@@ -271,11 +229,11 @@ ignore-mixin-members=yes
 # List of module names for which member attributes should not be checked
 # (useful for modules/projects where namespaces are manipulated during runtime
 # and thus existing member attributes cannot be deduced by static analysis
-ignored-modules=
+#ignored-modules=
 
 # List of classes names for which member attributes should not be checked
 # (useful for classes with attributes dynamically set).
-ignored-classes=SQLObject, optparse.Values, thread._local, _thread._local
+ignored-classes=SQLObject,optparse.Values,thread._local,_thread._local
 
 # List of members which are set dynamically and missed by pylint inference
 # system, and so shouldn't trigger E1101 when accessed. Python regular
@@ -291,13 +249,13 @@ contextmanager-decorators=contextlib.contextmanager
 
 # Spelling dictionary name. Available dictionaries: none. To make it working
 # install python-enchant package.
-spelling-dict=
+#spelling-dict=
 
 # List of comma separated words that should not be checked.
-spelling-ignore-words=
+#spelling-ignore-words=
 
 # A path to a file that contains private dictionary; one word per line.
-spelling-private-dict-file=
+#spelling-private-dict-file=
 
 # Tells whether to store unknown words to indicated private dictionary in
 # --spelling-private-dict-file option instead of raising a message.
@@ -361,19 +319,19 @@ deprecated-modules=regsub,TERMIOS,Bastion,rexec
 
 # Create a graph of every (i.e. internal and external) dependencies in the
 # given file (report RP0402 must not be disabled)
-import-graph=
+#import-graph=
 
 # Create a graph of external dependencies in the given file (report RP0402 must
 # not be disabled)
-ext-import-graph=
+#ext-import-graph=
 
 # Create a graph of internal dependencies in the given file (report RP0402 must
 # not be disabled)
-int-import-graph=
+#int-import-graph=
 
 
 [EXCEPTIONS]
 
 # Exceptions that will emit a warning when being caught. Defaults to
 # "Exception"
-overgeneral-exceptions=Exception
+overgeneral-exceptions=builtins.Exception
diff --git a/requirements.in b/requirements.in
index 973175f..3af5a9d 100644
--- a/requirements.in
+++ b/requirements.in
@@ -16,3 +16,5 @@ pyotp~=2.9.0
 passlib~=1.7.4
 xkcdpass~=1.20.0
 gunicorn~=23.0.0
+black~=25.12.0
+pylint~=4.0.4
diff --git a/requirements.txt b/requirements.txt
index 7c9031a..885a21b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -18,10 +18,14 @@ annotated-types==0.7.0
     # via pydantic
 anyio==4.12.0
     # via httpx
+astroid==4.0.2
+    # via pylint
 async-property==0.2.2
     # via python-keycloak
 attrs==25.4.0
     # via aiohttp
+black==25.12.0
+    # via -r requirements.in
 blinker==1.9.0
     # via
     #   flask
@@ -37,7 +41,9 @@ cffi==2.0.0
 charset-normalizer==3.4.4
     # via requests
 click==8.3.1
-    # via flask
+    # via
+    #   black
+    #   flask
 cryptography==46.0.3
     # via
     #   jwcrypto
@@ -50,6 +56,8 @@ deprecated==1.3.1
     # via limits
 deprecation==2.1.0
     # via python-keycloak
+dill==0.4.0
+    # via pylint
 dnspython==2.8.0
     # via srvlookup
 flask==3.1.2
@@ -100,6 +108,8 @@ idna==3.11
     #   yarl
 importlib-resources==6.5.2
     # via flask-pyoidc
+isort==7.0.0
+    # via pylint
 itsdangerous==2.2.0
     # via flask
 jinja2==3.1.6
@@ -120,23 +130,34 @@ markupsafe==3.0.3
     #   mako
     #   sentry-sdk
     #   werkzeug
+mccabe==0.7.0
+    # via pylint
 multidict==6.7.0
     # via
     #   aiohttp
     #   yarl
+mypy-extensions==1.1.0
+    # via black
 oic==1.6.1
     # via flask-pyoidc
 ordered-set==4.1.0
     # via flask-limiter
 packaging==25.0
     # via
+    #   black
     #   deprecation
     #   gunicorn
     #   limits
 passlib==1.7.4
     # via -r requirements.in
+pathspec==0.12.1
+    # via black
 pillow==12.0.0
     # via flask-qrcode
+platformdirs==4.5.1
+    # via
+    #   black
+    #   pylint
 propcache==0.4.1
     # via
     #   aiohttp
@@ -165,6 +186,8 @@ pyjwkest==1.4.4
     # via oic
 pyjwt==2.10.1
     # via twilio
+pylint==4.0.4
+    # via -r requirements.in
 pyotp==2.9.0
     # via -r requirements.in
 python-dotenv==1.2.1
@@ -175,6 +198,8 @@ python-keycloak==5.8.1
     # via -r requirements.in
 python-ldap==3.4.5
     # via csh-ldap
+pytokens==0.3.0
+    # via black
 qrcode==8.2
     # via flask-qrcode
 requests==2.32.5
@@ -201,6 +226,8 @@ srvlookup==3.0.0
     # via
     #   -r requirements.in
     #   csh-ldap
+tomlkit==0.13.3
+    # via pylint
 twilio==9.9.0
     # via -r requirements.in
 typing-extensions==4.15.0
diff --git a/selfservice/__init__.py b/selfservice/__init__.py
index ee47b63..4c41586 100644
--- a/selfservice/__init__.py
+++ b/selfservice/__init__.py
@@ -79,6 +79,8 @@
     limiter = Limiter(
         get_remote_address, app=app, default_limits=["50 per day", "10 per hour"]
     )
+else:
+    limiter = Limiter(get_remote_address, app=app, default_limits=[])
 
 # Initialize QR Code Generator
 qr = QRcode(app)
diff --git a/selfservice/blueprints/otp.py b/selfservice/blueprints/otp.py
index 30ed51f..d98f269 100644
--- a/selfservice/blueprints/otp.py
+++ b/selfservice/blueprints/otp.py
@@ -20,7 +20,7 @@
 )
 from selfservice.utilities.ldap import create_ipa_otp, has_ipa_otp, delete_ipa_otp
 from selfservice.utilities.app_passwd import set_app_passwd, delete_app_passwd
-from selfservice import version, auth, db, OIDC_PROVIDER
+from selfservice import version, auth, OIDC_PROVIDER
 
 otp_bp = Blueprint("otp", __name__)
 
@@ -44,7 +44,13 @@ def enable():
 
         # If its registered in one place but not the other
         if kc_registered != ipa_registered:
-            LOG.warn(f"{username} does not have TOTP in both Keycloak and LDAP (kc_registered={kc_registered}, ipa_registered={ipa_registered})")
+            LOG.warning(
+                "%s does not have TOTP in both Keycloak and LDAP "
+                "(kc_registered=%s, ipa_registered=%s)",
+                username,
+                kc_registered,
+                ipa_registered,
+            )
 
         # If already registered *somewhere*
         if kc_registered or ipa_registered:
@@ -52,7 +58,7 @@ def enable():
 
         secret = generate_kc_otp(username)
         otp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
-            "{}@csh.rit.edu".format(username), issuer_name="CSH"
+            f"{username}@csh.rit.edu", issuer_name="CSH"
         )
 
         return render_template(
@@ -60,13 +66,16 @@ def enable():
         )
 
     otp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
-        "{}@csh.rit.edu".format(username), issuer_name="CSH"
+        f"{username}@csh.rit.edu", issuer_name="CSH"
     )
     if not secret:
         flash("Invalid secret provided. Please try again.")
         return redirect("/otp")
     if not otp_code:
-        flash("No one time password provided. Please scan the code and try again.")
+        flash(
+            "One time password provided did not match expected value. "
+            "Please scan the code and try again."
+        )
         return render_template(
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )
@@ -74,7 +83,10 @@ def enable():
     try:
         register_kc_otp(username, secret, otp_code)
     except OTPInvalidCode:
-        flash("One time password provided did not match expected value. Please scan the code and try again.")
+        flash(
+            "One time password provided did not match expected value."
+            "Please scan the code and try again."
+        )
         return render_template(
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )
diff --git a/selfservice/blueprints/recovery.py b/selfservice/blueprints/recovery.py
index addc6ba..673b5a4 100644
--- a/selfservice/blueprints/recovery.py
+++ b/selfservice/blueprints/recovery.py
@@ -96,8 +96,8 @@ def verify_identity(recovery_id):
 
         # Make sure that methods are valid
     possible_methods = 0
-    for method in methods:
-        if methods[method]:
+    for _, value in methods.items():
+        if value:
             possible_methods += 1
 
     if possible_methods == 0:
@@ -247,7 +247,7 @@ def reset_password():
     else:
         flash("Whoops, those passwords didn't match!")
 
-    return redirect("/reset?token={}".format(token))
+    return redirect(f"/reset?token={token}")
 
 
 @recovery_bp.route("/admin", methods=["GET", "POST"])
diff --git a/selfservice/models.py b/selfservice/models.py
index 4dc74fa..06cfeb9 100644
--- a/selfservice/models.py
+++ b/selfservice/models.py
@@ -9,7 +9,6 @@
     ForeignKey,
     DateTime,
     Boolean,
-    LargeBinary,
     func,
 )
 from selfservice import db
@@ -24,7 +23,7 @@ class ResetToken(db.Model):
     __tablename__ = "token"
     id = Column(Integer, primary_key=True)
     username = Column(String(64), nullable=False)
-    created = Column(DateTime, default=func.timezone("UTC", func.current_timestamp()))
+    created = Column(DateTime, default=func.timezone("UTC", func.current_timestamp))
     token = Column(String(36))
     session = Column(String(36), ForeignKey("session.id"))
     used = Column(Boolean)
@@ -40,7 +39,7 @@ class RecoverySession(db.Model):
     __tablename__ = "session"
     id = Column(String(36), primary_key=True)
     username = Column(String(64), nullable=False)
-    created = Column(DateTime, default=func.timezone("UTC", func.current_timestamp()))
+    created = Column(DateTime, default=func.timezone("UTC", func.current_timestamp))
 
 
 class PhoneVerification(db.Model):
@@ -53,6 +52,7 @@ class PhoneVerification(db.Model):
     code = Column(String(6), primary_key=True)
     session = Column(String(36), ForeignKey("session.id"))
 
+
 class AppSpecificPassword(db.Model):
     """
     Allows users to authenticate to applications that don't support two factor
diff --git a/selfservice/utilities/keycloak.py b/selfservice/utilities/keycloak.py
index 1c6c7c1..cda1d47 100644
--- a/selfservice/utilities/keycloak.py
+++ b/selfservice/utilities/keycloak.py
@@ -15,12 +15,15 @@
 
 DEVICE_NAME = "SelfService"
 
+
 class OTPInvalidCode(Exception):
     """
-    Error when the initial code does not match expected. 
+    Error when the initial code does not match expected.
     """
+
     pass
 
+
 class OTPNotConfigured(Exception):
     """
     Error for accounts who don't have OTP configured.
@@ -28,6 +31,7 @@ class OTPNotConfigured(Exception):
 
     pass
 
+
 class OTPAlreadyConfigured(Exception):
     """
     Error for accounts who already have OTP configured.
@@ -69,11 +73,12 @@ def get_kc_user_id(username):
     )
     conn = admin.connection
     user = conn.raw_get(
-        "admin/realms/csh/users?first=0&max=20&search={}@csh.rit.edu".format(username)
+        f"admin/realms/csh/users?first=0&max=20&search={username}@csh.rit.edu"
     )
     user_id = json.loads(user.text)[0]["id"]
     return user_id
 
+
 def get_kc_service_account_token():
     """
     Get an auth token for the OIDC client's associated service account
@@ -84,17 +89,25 @@ def get_kc_service_account_token():
         realm_name="csh",
         client_id=app.config["OIDC_CLIENT_CONFIG"]["client_id"],
         client_secret_key=app.config["OIDC_CLIENT_CONFIG"]["client_secret"],
-        verify=True
+        verify=True,
     )
     token = keycloak_openid.token(grant_type="client_credentials")
     return token["access_token"]
 
+
 def get_kc_otp_is_registered(username):
+    """
+    Check if the given user has OTP registered in Keycloak.
+
+    Keyword arguments:
+    username -- Username of account to check
+    """
     user_id = get_kc_user_id(username)
     token = get_kc_service_account_token()
     response = requests.get(
         f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/isRegistered/{DEVICE_NAME}",
-        headers={"Authorization": f"Bearer {token}"}
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=30,
     )
     return response.ok
 
@@ -111,10 +124,11 @@ def generate_kc_otp(username):
     token = get_kc_service_account_token()
     response = requests.get(
         f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/generate",
-        headers={"Authorization": f"Bearer {token}"}
+        headers={"Authorization": f"Bearer {token}"},
+        timeout=30,
     )
     response.raise_for_status()
-    return response.json()['encodedSecret']
+    return response.json()["encodedSecret"]
 
 
 def register_kc_otp(username, secret, otp_code):
@@ -132,14 +146,15 @@ def register_kc_otp(username, secret, otp_code):
         f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/register",
         headers={
             "Authorization": f"Bearer {token}",
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
         },
         json={
             "encodedSecret": secret,
             "initialCode": otp_code,
             "deviceName": DEVICE_NAME,
-            "overwrite": False
-        }
+            "overwrite": False,
+        },
+        timeout=30,
     )
     resp = response.json()
 
@@ -158,6 +173,7 @@ def register_kc_otp(username, secret, otp_code):
         app.logger.error(response.text)
         response.raise_for_status()
 
+
 def delete_kc_otp(username):
     """
     Remove two-factor information from Keycloak account
@@ -172,11 +188,12 @@ def delete_kc_otp(username):
         f"{app.config["OIDC_ISSUER"]}/totp-api/{user_id}/unregister",
         headers={
             "Authorization": f"Bearer {token}",
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
         },
         json={
             "deviceName": DEVICE_NAME,
-        }
+        },
+        timeout=30,
     )
     resp = response.json()
 
diff --git a/selfservice/utilities/ldap.py b/selfservice/utilities/ldap.py
index 709eb23..65bd7ce 100644
--- a/selfservice/utilities/ldap.py
+++ b/selfservice/utilities/ldap.py
@@ -21,21 +21,21 @@ def verif_methods(username):
     user = ldap.get_member(username, True)
 
     if user.mail:
-        for addr in user.__getattr__("mail", as_list=True):
+        for addr in getattr(user, "mail", as_list=True):
             if "rit.edu" not in addr and "@" in addr:
                 name, domain = addr.strip().split("@")
                 display = name[:1] + "..." + name[-1:] + "@" + domain
                 methods["email"].append({"data": addr, "display": display})
 
     if user.mobile:
-        for number in user.__getattr__("mobile", as_list=True):
+        for number in getattr(user, "mobile", as_list=True):
             stripped = re.sub("[^0-9]", "", number)
             if len(stripped) == 10:
-                display = "(XXX) XXX-{}".format(stripped[-4:])
+                display = f"(XXX) XXX-{stripped[-4:]}"
                 methods["phone"].append({"data": stripped, "display": display})
 
     if user.telephoneNumber:
-        for number in user.__getattr__("telephoneNumber", as_list=True):
+        for number in getattr(user, "telephoneNumber", as_list=True):
             stripped = re.sub("[^0-9]", "", number)
             if len(stripped) == 10:
                 methods["phone"].append(stripped)
@@ -92,7 +92,14 @@ def create_ipa_otp(username, secret):
     data = {"ipatokenowner": username, "ipatokenotpkey": secret}
     ipa._request("otptoken_add", params=data)
 
+
 def has_ipa_otp(username):
+    """
+    Check if the given user has any OTP tokens configured in FreeIPA.
+
+    Keyword arguments:
+    username -- Username of account to check
+    """
     ipa_login()
     token_info = ipa._request("otptoken_find", params={"ipatokenowner": username})
     return len(token_info["result"]) > 0
diff --git a/selfservice/utilities/reset.py b/selfservice/utilities/reset.py
index e9f8657..e37ee2d 100644
--- a/selfservice/utilities/reset.py
+++ b/selfservice/utilities/reset.py
@@ -107,12 +107,12 @@ def passwd_reset(username, password):
     """
 
     # Create LDAP admin session to perform initial reset.
-    dn = "uid={},cn=users,cn=accounts,dc=csh,dc=rit,dc=edu".format(username)
+    dn = f"uid={username},cn=users,cn=accounts,dc=csh,dc=rit,dc=edu"
 
     # Find FreeIPA server
     ldap_srvs = srvlookup.lookup("ldap", "tcp", "csh.rit.edu")
     ldap_uri = ldap_srvs[0].hostname
-    l = ldap.initialize("ldaps://{}".format(ldap_uri))
+    l = ldap.initialize(f"ldaps://{ldap_uri}")
     l.simple_bind_s(app.config["LDAP_BIND_DN"], app.config["LDAP_BIND_PW"])
     l.modify_s(dn, [(ldap.MOD_REPLACE, "userPassword", [password.encode()])])
     l.modify_s(dn, [(ldap.MOD_REPLACE, "nsaccountlock", ["false".encode()])])
@@ -120,8 +120,9 @@ def passwd_reset(username, password):
     # FreeIPA automatically expires the password set through the previous
     # method, so we need to use their password change API to get past that.
     requests.post(
-        "https://{}/ipa/session/change_password".format(ldap_uri),
+        f"https://{ldap_uri}/ipa/session/change_password",
         data={"user": username, "old_password": password, "new_password": password},
+        timeout=30,
     )
 
 
@@ -138,8 +139,9 @@ def passwd_change(username, old_pw, new_pw):
     ldap_srvs = srvlookup.lookup("ldap", "tcp", "csh.rit.edu")
     ldap_uri = ldap_srvs[0].hostname
     change = requests.post(
-        "https://{}/ipa/session/change_password".format(ldap_uri),
+        f"https://{ldap_uri}/ipa/session/change_password",
         data={"user": username, "old_password": old_pw, "new_password": new_pw},
+        timeout=30,
     )
     if change.headers.get("X-IPA-Pwchange-Result") == "invalid-password":
         raise PasswordChangeFailed