From 1db2566ff95c72c6e86e2c406b2bc7827a85dc46 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Thu, 24 Feb 2022 19:10:35 +0000
Subject: Disable API authentication with username and password when two-factor
 authentication is enabled for the user (#35001).

Patch by Go MAEDA.


git-svn-id: http://svn.redmine.org/redmine/trunk@21436 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 test/integration/api_test/authentication_test.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'test/integration/api_test/authentication_test.rb')

diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb
index 60d787ea8..18838487c 100644
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@@ -48,6 +48,15 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     assert_response 401
   end
 
+  def test_api_should_deny_http_basic_auth_if_twofa_is_active
+    user = User.generate! do |user|
+      user.password = 'my_password'
+      user.update(twofa_scheme: 'totp')
+    end
+    get '/users/current.xml', :headers => credentials(user.login, 'my_password')
+    assert_response 401
+  end
+
   def test_api_should_accept_http_basic_auth_using_api_key
     user = User.generate!
     token = Token.create!(:user => user, :action => 'api')
-- 
cgit v1.2.3