Fix basic auth with webauthn (#32531)

author: Lunny Xiao <xiaolunwen@gmail.com> 2024-11-16 09:52:16 -0800
committer: GitHub <noreply@github.com> 2024-11-16 17:52:16 +0000
commit: c3dedcffa79acfb8be594124cc4554f1a7956d48 (patch)
tree: eac16ee1dc737f07340fecc9792d5dd0bfb32bb6 /services/auth/basic.go
parent: 5eebe1dc5fb29a162c51d050396fce7b14e47f4e (diff)
download: gitea-c3dedcffa79acfb8be594124cc4554f1a7956d48.tar.gz
gitea-c3dedcffa79acfb8be594124cc4554f1a7956d48.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/services/auth/basic.go b/services/auth/basic.go
index 90bd642370..1f6c3a442d 100644
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@@ -5,6 +5,7 @@
 package auth
 
 import (
+	"errors"
 	"net/http"
 	"strings"
 
@@ -141,6 +142,15 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	}
 
 	if skipper, ok := source.Cfg.(LocalTwoFASkipper); !ok || !skipper.IsSkipLocalTwoFA() {
+		// Check if the user has webAuthn registration
+		hasWebAuthn, err := auth_model.HasWebAuthnRegistrationsByUID(req.Context(), u.ID)
+		if err != nil {
+			return nil, err
+		}
+		if hasWebAuthn {
+			return nil, errors.New("Basic authorization is not allowed while webAuthn enrolled")
+		}
+
 		if err := validateTOTP(req, u); err != nil {
 			return nil, err
 		}
author	Lunny Xiao <xiaolunwen@gmail.com>	2024-11-16 09:52:16 -0800
committer	GitHub <noreply@github.com>	2024-11-16 17:52:16 +0000
commit	c3dedcffa79acfb8be594124cc4554f1a7956d48 (patch)
tree	eac16ee1dc737f07340fecc9792d5dd0bfb32bb6 /services/auth/basic.go
parent	5eebe1dc5fb29a162c51d050396fce7b14e47f4e (diff)
download	gitea-c3dedcffa79acfb8be594124cc4554f1a7956d48.tar.gz gitea-c3dedcffa79acfb8be594124cc4554f1a7956d48.zip