Disable API authentication with username and password when two-factor authentication...

author Marius Balteanu <marius.balteanu@zitec.com>

Thu, 24 Feb 2022 19:10:35 +0000 (19:10 +0000)

committer Marius Balteanu <marius.balteanu@zitec.com>

Thu, 24 Feb 2022 19:10:35 +0000 (19:10 +0000)
author Marius Balteanu <marius.balteanu@zitec.com>
Thu, 24 Feb 2022 19:10:35 +0000 (19:10 +0000)
committer Marius Balteanu <marius.balteanu@zitec.com>
Thu, 24 Feb 2022 19:10:35 +0000 (19:10 +0000)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 8878026f31c05cdcaedcc18ce70adc0b9b99a3a5..c287cc96a8585d2dc151da3ae5dbbfbfbfdd1fda 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -132,7 +132,14 @@ class ApplicationController < ActionController::Base
        elsif /\ABasic /i.match?(request.authorization.to_s)
          # HTTP Basic, either username/password or API key/random
          authenticate_with_http_basic do |username, password|
-          user = User.try_to_login(username, password) || User.find_by_api_key(username)
+          user = User.try_to_login(username, password)
+          # Don't allow using username/password when two-factor auth is active
+          if user&.twofa_active?
+            render_error :message => 'HTTP Basic authentication is not allowed. Use API key instead', :status => 401
+            return
+          end
+
+          user ||= User.find_by_api_key(username)
          end
          if user && user.must_change_password?
            render_error :message => 'You must change your password', :status => 403
diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb

index 60d787ea82ee19475fe756c017b9b0f2d5f559a0..18838487c39501008e22d0355f5cc60cef527a4b 100644 (file)
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@@ -48,6 +48,15 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
      assert_response 401
    end
  
+  def test_api_should_deny_http_basic_auth_if_twofa_is_active
+    user = User.generate! do |user|
+      user.password = 'my_password'
+      user.update(twofa_scheme: 'totp')
+    end
+    get '/users/current.xml', :headers => credentials(user.login, 'my_password')
+    assert_response 401
+  end
+
    def test_api_should_accept_http_basic_auth_using_api_key
      user = User.generate!
      token = Token.create!(:user => user, :action => 'api')
author	Marius Balteanu <marius.balteanu@zitec.com>
	Thu, 24 Feb 2022 19:10:35 +0000 (19:10 +0000)
committer	Marius Balteanu <marius.balteanu@zitec.com>
	Thu, 24 Feb 2022 19:10:35 +0000 (19:10 +0000)
app/controllers/application_controller.rb		patch \| blob \| history
test/integration/api_test/authentication_test.rb		patch \| blob \| history