From 1db2566ff95c72c6e86e2c406b2bc7827a85dc46 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Thu, 24 Feb 2022 19:10:35 +0000 Subject: Disable API authentication with username and password when two-factor authentication is enabled for the user (#35001). Patch by Go MAEDA. git-svn-id: http://svn.redmine.org/redmine/trunk@21436 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8878026f3..c287cc96a 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -132,7 +132,14 @@ class ApplicationController < ActionController::Base elsif /\ABasic /i.match?(request.authorization.to_s) # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| - user = User.try_to_login(username, password) || User.find_by_api_key(username) + user = User.try_to_login(username, password) + # Don't allow using username/password when two-factor auth is active + if user&.twofa_active? + render_error :message => 'HTTP Basic authentication is not allowed. Use API key instead', :status => 401 + return + end + + user ||= User.find_by_api_key(username) end if user && user.must_change_password? render_error :message => 'You must change your password', :status => 403 -- cgit v1.2.3