Browse Source
AppAPI: allowed to bypass Two-Factor
Signed-off-by: Alexander Piskun <bigcat88@icloud.com>tags/v29.0.0beta1
Alexander Piskun
4 months ago
3 changed files with 25 additions and 7 deletions
+ 4
- 1
core/Middleware/TwoFactorMiddleware.php
View File
| if ($this->userSession->isLoggedIn()) { | if ($this->userSession->isLoggedIn()) { | ||||
| $user = $this->userSession->getUser(); | $user = $this->userSession->getUser(); | ||||
| if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) { | |||||
| if ($this->session->exists('app_password') // authenticated using an app password | |||||
| || $this->session->exists('app_api') // authenticated using an AppAPI Auth | |||||
| || $this->twoFactorManager->isTwoFactorAuthenticated($user)) { | |||||
| $this->checkTwoFactor($controller, $methodName, $user); | $this->checkTwoFactor($controller, $methodName, $user); | ||||
| } elseif ($controller instanceof TwoFactorChallengeController) { | } elseif ($controller instanceof TwoFactorChallengeController) { | ||||
| // Allow access to the two-factor controllers only if two-factor authentication | // Allow access to the two-factor controllers only if two-factor authentication |
+ 2
- 2
lib/private/Authentication/TwoFactorAuth/Manager.php
View File
| return false; | return false; | ||||
| } | } | ||||
| // If we are authenticated using an app password skip all this | |||||
| if ($this->session->exists('app_password')) { | |||||
| // If we are authenticated using an app password or AppAPI Auth, skip all this | |||||
| if ($this->session->exists('app_password') || $this->session->get('app_api') === true) { | |||||
| return false; | return false; | ||||
| } | } | ||||
+ 19
- 4
tests/lib/Authentication/TwoFactorAuth/ManagerTest.php
View File
| return false; | return false; | ||||
| } elseif ($var === 'app_password') { | } elseif ($var === 'app_password') { | ||||
| return false; | return false; | ||||
| } elseif ($var === 'app_api') { | |||||
| return false; | |||||
| } | } | ||||
| return true; | return true; | ||||
| }); | }); | ||||
| $this->session->method('get') | |||||
| ->willReturnCallback(function ($var) { | |||||
| if ($var === Manager::SESSION_UID_KEY) { | |||||
| return 'user'; | |||||
| } elseif ($var === 'app_api') { | |||||
| return true; | |||||
| } | |||||
| return null; | |||||
| }); | |||||
| $this->session->expects($this->once()) | $this->session->expects($this->once()) | ||||
| ->method('get') | ->method('get') | ||||
| ->with(Manager::SESSION_UID_DONE) | |||||
| ->willReturn('user'); | |||||
| ->willReturnMap([ | |||||
| [Manager::SESSION_UID_DONE, 'user'], | |||||
| ['app_api', true] | |||||
| ]); | |||||
| $this->assertFalse($this->manager->needsSecondFactor($user)); | $this->assertFalse($this->manager->needsSecondFactor($user)); | ||||
| } | } | ||||
| public function testNeedsSecondFactorAppPassword() { | public function testNeedsSecondFactorAppPassword() { | ||||
| $user = $this->createMock(IUser::class); | $user = $this->createMock(IUser::class); | ||||
| $this->session->method('exists') | $this->session->method('exists') | ||||
| ->with('app_password') | |||||
| ->willReturn(true); | |||||
| ->willReturnMap([ | |||||
| ['app_password', true], | |||||
| ['app_api', true] | |||||
| ]); | |||||
| $this->assertFalse($this->manager->needsSecondFactor($user)); | $this->assertFalse($this->manager->needsSecondFactor($user)); | ||||
| } | } |
Loading…