From 27b351aba564804f65e5574919a88d6194c75256 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 17 Sep 2021 12:43:47 +0100
Subject: Make LDAP be able to skip local 2FA (#16954)

This PR extends #16594 to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/context/api.go  | 4 ++++
 modules/context/auth.go | 3 +++
 2 files changed, 7 insertions(+)

(limited to 'modules/context')

diff --git a/modules/context/api.go b/modules/context/api.go
index 47ea8acfe0..e80e63cd96 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -214,6 +214,10 @@ func (ctx *APIContext) RequireCSRF() {
 
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
+	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
+		return // Skip 2FA
+	}
+
 	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
 	twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
 	if err != nil {
diff --git a/modules/context/auth.go b/modules/context/auth.go
index ed220d5420..0a62b2741e 100644
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -151,6 +151,9 @@ func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) {
 				return
 			}
 			if ctx.IsSigned && ctx.IsBasicAuth {
+				if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
+					return // Skip 2FA
+				}
 				twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
 				if err != nil {
 					if models.IsErrTwoFactorNotEnrolled(err) {
-- 
cgit v1.2.3