summaryrefslogtreecommitdiffstats
path: root/routers/web
diff options
context:
space:
mode:
authorKamil DomaƄski <kamil@domanski.co>2021-11-08 23:47:19 +0100
committerGitHub <noreply@github.com>2021-11-08 23:47:19 +0100
commit021df29623bb0155b5a2ccad0e5f90fb348c8f4e (patch)
treec720bc34bd29620028c51d35c6d98044af89101e /routers/web
parenta3f9e9234cbb099b821a6ea9c575927be18948de (diff)
downloadgitea-021df29623bb0155b5a2ccad0e5f90fb348c8f4e.tar.gz
gitea-021df29623bb0155b5a2ccad0e5f90fb348c8f4e.zip
Allow U2F 2FA without TOTP (#11573)
This change enables the usage of U2F without being forced to enroll an TOTP authenticator. The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled. Fixes #5410 Fixes #17495
Diffstat (limited to 'routers/web')
-rw-r--r--routers/web/user/auth.go45
-rw-r--r--routers/web/user/setting/security.go24
2 files changed, 44 insertions, 25 deletions
diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
index 21d48e9834..55f304a7cb 100644
--- a/routers/web/user/auth.go
+++ b/routers/web/user/auth.go
@@ -211,38 +211,58 @@ func SignInPost(ctx *context.Context) {
return
}
- // If this user is enrolled in 2FA, we can't sign the user in just yet.
+ // If this user is enrolled in 2FA TOTP, we can't sign the user in just yet.
// Instead, redirect them to the 2FA authentication page.
- _, err = login.GetTwoFactorByUID(u.ID)
+ hasTOTPtwofa, err := login.HasTwoFactorByUID(u.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
- handleSignIn(ctx, u, form.Remember)
- } else {
- ctx.ServerError("UserSignIn", err)
- }
+ ctx.ServerError("UserSignIn", err)
return
}
- // User needs to use 2FA, save data and redirect to 2FA page.
+ // Check if the user has u2f registration
+ hasU2Ftwofa, err := login.HasU2FRegistrationsByUID(u.ID)
+ if err != nil {
+ ctx.ServerError("UserSignIn", err)
+ return
+ }
+
+ if !hasTOTPtwofa && !hasU2Ftwofa {
+ // No two factor auth configured we can sign in the user
+ handleSignIn(ctx, u, form.Remember)
+ return
+ }
+
+ // User will need to use 2FA TOTP or U2F, save data
if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
return
}
+
if err := ctx.Session.Set("twofaRemember", form.Remember); err != nil {
ctx.ServerError("UserSignIn: Unable to set twofaRemember in session", err)
return
}
+
+ if hasTOTPtwofa {
+ // User will need to use U2F, save data
+ if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
+ ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
+ return
+ }
+ }
+
if err := ctx.Session.Release(); err != nil {
ctx.ServerError("UserSignIn: Unable to save session", err)
return
}
- regs, err := login.GetU2FRegistrationsByUID(u.ID)
- if err == nil && len(regs) > 0 {
+ // If we have U2F redirect there first
+ if hasU2Ftwofa {
ctx.Redirect(setting.AppSubURL + "/user/u2f")
return
}
+ // Fallback to 2FA
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
}
@@ -406,6 +426,11 @@ func U2F(ctx *context.Context) {
return
}
+ // See whether TOTP is also available.
+ if ctx.Session.Get("totpEnrolled") != nil {
+ ctx.Data["TOTPEnrolled"] = true
+ }
+
ctx.HTML(http.StatusOK, tplU2F)
}
diff --git a/routers/web/user/setting/security.go b/routers/web/user/setting/security.go
index 53f672282d..65e9790d47 100644
--- a/routers/web/user/setting/security.go
+++ b/routers/web/user/setting/security.go
@@ -55,23 +55,17 @@ func DeleteAccountLink(ctx *context.Context) {
}
func loadSecurityData(ctx *context.Context) {
- enrolled := true
- _, err := login.GetTwoFactorByUID(ctx.User.ID)
+ enrolled, err := login.HasTwoFactorByUID(ctx.User.ID)
if err != nil {
- if login.IsErrTwoFactorNotEnrolled(err) {
- enrolled = false
- } else {
- ctx.ServerError("SettingsTwoFactor", err)
- return
- }
+ ctx.ServerError("SettingsTwoFactor", err)
+ return
}
- ctx.Data["TwofaEnrolled"] = enrolled
- if enrolled {
- ctx.Data["U2FRegistrations"], err = login.GetU2FRegistrationsByUID(ctx.User.ID)
- if err != nil {
- ctx.ServerError("GetU2FRegistrationsByUID", err)
- return
- }
+ ctx.Data["TOTPEnrolled"] = enrolled
+
+ ctx.Data["U2FRegistrations"], err = login.GetU2FRegistrationsByUID(ctx.User.ID)
+ if err != nil {
+ ctx.ServerError("GetU2FRegistrationsByUID", err)
+ return
}
tokens, err := models.ListAccessTokens(models.ListAccessTokensOptions{UserID: ctx.User.ID})