diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2022-02-24 19:10:35 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2022-02-24 19:10:35 +0000 |
| commit | 1db2566ff95c72c6e86e2c406b2bc7827a85dc46 (patch) | |
| tree | 66a0ba4b2c79ce0380ee0c4edeb9ea3452e2a406 | |
| parent | ba74ba1c702e7a122328094341e659c2baf9fd3d (diff) | |
| download | redmine-1db2566ff95c72c6e86e2c406b2bc7827a85dc46.tar.gz redmine-1db2566ff95c72c6e86e2c406b2bc7827a85dc46.zip | |
Disable API authentication with username and password when two-factor authentication is enabled for the user (#35001).
Patch by Go MAEDA.
git-svn-id: http://svn.redmine.org/redmine/trunk@21436 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/application_controller.rb | 9 | ||||
| -rw-r--r-- | test/integration/api_test/authentication_test.rb | 9 |
2 files changed, 17 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8878026f3..c287cc96a 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -132,7 +132,14 @@ class ApplicationController < ActionController::Base elsif /\ABasic /i.match?(request.authorization.to_s) # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| - user = User.try_to_login(username, password) || User.find_by_api_key(username) + user = User.try_to_login(username, password) + # Don't allow using username/password when two-factor auth is active + if user&.twofa_active? + render_error :message => 'HTTP Basic authentication is not allowed. Use API key instead', :status => 401 + return + end + + user ||= User.find_by_api_key(username) end if user && user.must_change_password? render_error :message => 'You must change your password', :status => 403 diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb index 60d787ea8..18838487c 100644 --- a/test/integration/api_test/authentication_test.rb +++ b/test/integration/api_test/authentication_test.rb @@ -48,6 +48,15 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base assert_response 401 end + def test_api_should_deny_http_basic_auth_if_twofa_is_active + user = User.generate! do |user| + user.password = 'my_password' + user.update(twofa_scheme: 'totp') + end + get '/users/current.xml', :headers => credentials(user.login, 'my_password') + assert_response 401 + end + def test_api_should_accept_http_basic_auth_using_api_key user = User.generate! token = Token.create!(:user => user, :action => 'api') |