diff options
author | Frédéric Guillot <fred@kanboard.net> | 2019-02-01 15:40:35 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@kanboard.net> | 2019-02-01 15:40:35 -0800 |
commit | 233fd1a8a1e4da808ce34f91194a423522e5c478 (patch) | |
tree | 87f4f2be0c3bda9f958755bcfc9a71037113cb57 | |
parent | fa08493348f54fae3eed64f8de4eb5893000a918 (diff) |
Authorize only API tokens when 2FA is enabled
-rw-r--r-- | app/Api/Middleware/AuthenticationMiddleware.php | 19 | ||||
-rw-r--r-- | app/Core/Security/AuthenticationManager.php | 5 | ||||
-rw-r--r-- | app/Model/UserModel.php | 9 | ||||
-rw-r--r-- | app/ServiceProvider/AuthenticationProvider.php | 2 |
4 files changed, 31 insertions, 4 deletions
diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php index 22a3558b..b30c8865 100644 --- a/app/Api/Middleware/AuthenticationMiddleware.php +++ b/app/Api/Middleware/AuthenticationMiddleware.php @@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware; use JsonRPC\Exception\AccessDeniedException; use JsonRPC\Exception\AuthenticationFailureException; use JsonRPC\MiddlewareInterface; +use Kanboard\Auth\ApiAccessTokenAuth; use Kanboard\Core\Base; /** @@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface */ private function isUserAuthenticated($username, $password) { - return $username !== 'jsonrpc' && - ! $this->userLockingModel->isLocked($username) && - $this->authenticationManager->passwordAuthentication($username, $password); + if ($username === 'jsonrpc') { + return false; + } + + if ($this->userLockingModel->isLocked($username)) { + return false; + } + + if ($this->userModel->has2FA($username)) { + $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized'); + $this->authenticationManager->reset(); + $this->authenticationManager->register(new ApiAccessTokenAuth($this->container)); + } + + return $this->authenticationManager->passwordAuthentication($username, $password); } /** diff --git a/app/Core/Security/AuthenticationManager.php b/app/Core/Security/AuthenticationManager.php index e7a3c8d4..05ad6485 100644 --- a/app/Core/Security/AuthenticationManager.php +++ b/app/Core/Security/AuthenticationManager.php @@ -31,6 +31,11 @@ class AuthenticationManager extends Base */ private $providers = array(); + public function reset() + { + $this->providers = []; + } + /** * Register a new authentication provider * diff --git a/app/Model/UserModel.php b/app/Model/UserModel.php index d8db3270..32d0c888 100644 --- a/app/Model/UserModel.php +++ b/app/Model/UserModel.php @@ -38,6 +38,15 @@ class UserModel extends Base ->exists(); } + public function has2FA($username) + { + return $this->db->table(self::TABLE) + ->eq('username', $username) + ->eq('is_active', 1) + ->eq('twofactor_activated', 1) + ->exists(); + } + /** * Return true if the user exists * diff --git a/app/ServiceProvider/AuthenticationProvider.php b/app/ServiceProvider/AuthenticationProvider.php index 668d6d6b..066f45e5 100644 --- a/app/ServiceProvider/AuthenticationProvider.php +++ b/app/ServiceProvider/AuthenticationProvider.php @@ -2,13 +2,13 @@ namespace Kanboard\ServiceProvider; -use Kanboard\Auth\ApiAccessTokenAuth; use Pimple\Container; use Pimple\ServiceProviderInterface; use Kanboard\Core\Security\AuthenticationManager; use Kanboard\Core\Security\AccessMap; use Kanboard\Core\Security\Authorization; use Kanboard\Core\Security\Role; +use Kanboard\Auth\ApiAccessTokenAuth; use Kanboard\Auth\RememberMeAuth; use Kanboard\Auth\DatabaseAuth; use Kanboard\Auth\LdapAuth; |