mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 993 Wiki Activity
Browse Source

AppAPI: allowed to bypass Two-Factor 

Signed-off-by: Alexander Piskun <bigcat88@icloud.com>

fix php-cs

Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
tags/v27.1.6rc1
Alexander Piskun 5 months ago
parent
7474b574ca
commit
12257ac765
No account linked to committer's email address
3 changed files with 24 additions and 7 deletions
Split View Show Diff Stats
  1. 3
    1
      core/Middleware/TwoFactorMiddleware.php
  2. 2
    2
      lib/private/Authentication/TwoFactorAuth/Manager.php
  3. 19
    4
      tests/lib/Authentication/TwoFactorAuth/ManagerTest.php

+ 3
- 1
core/Middleware/TwoFactorMiddleware.php View File

@@ -124,7 +124,9 @@ class TwoFactorMiddleware extends Middleware {
if ($this->userSession->isLoggedIn()) {
$user = $this->userSession->getUser();

if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
if ($this->session->exists('app_password') // authenticated using an app password
|| $this->session->exists('app_api') // authenticated using an AppAPI Auth
|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
$this->checkTwoFactor($controller, $methodName, $user);
} elseif ($controller instanceof TwoFactorChallengeController) {
// Allow access to the two-factor controllers only if two-factor authentication

+ 2
- 2
lib/private/Authentication/TwoFactorAuth/Manager.php View File

@@ -335,8 +335,8 @@ class Manager {
return false;
}

// If we are authenticated using an app password skip all this
if ($this->session->exists('app_password')) {
// If we are authenticated using an app password or AppAPI Auth, skip all this
if ($this->session->exists('app_password') || $this->session->get('app_api') === true) {
return false;
}


+ 19
- 4
tests/lib/Authentication/TwoFactorAuth/ManagerTest.php View File

@@ -636,13 +636,26 @@ class ManagerTest extends TestCase {
return false;
} elseif ($var === 'app_password') {
return false;
} elseif ($var === 'app_api') {
return false;
}
return true;
});
$this->session->method('get')
->willReturnCallback(function ($var) {
if ($var === Manager::SESSION_UID_KEY) {
return 'user';
} elseif ($var === 'app_api') {
return true;
}
return null;
});
$this->session->expects($this->once())
->method('get')
->with(Manager::SESSION_UID_DONE)
->willReturn('user');
->willReturnMap([
[Manager::SESSION_UID_DONE, 'user'],
['app_api', true]
]);

$this->assertFalse($this->manager->needsSecondFactor($user));
}
@@ -702,8 +715,10 @@ class ManagerTest extends TestCase {
public function testNeedsSecondFactorAppPassword() {
$user = $this->createMock(IUser::class);
$this->session->method('exists')
->with('app_password')
->willReturn(true);
->willReturnMap([
['app_password', true],
['app_api', true]
]);

$this->assertFalse($this->manager->needsSecondFactor($user));
}

Write Preview
Loading…
Cancel
Save