Authorize only API tokens when 2FA is enabled

1 files changed, 16 insertions, 3 deletions

diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php
index 22a3558b..b30c8865 100644
--- a/app/Api/Middleware/AuthenticationMiddleware.php
+++ b/app/Api/Middleware/AuthenticationMiddleware.php
@@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware;
 use JsonRPC\Exception\AccessDeniedException;
 use JsonRPC\Exception\AuthenticationFailureException;
 use JsonRPC\MiddlewareInterface;
+use Kanboard\Auth\ApiAccessTokenAuth;
 use Kanboard\Core\Base;
 
 /**
@@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface
      */
     private function isUserAuthenticated($username, $password)
     {
-        return $username !== 'jsonrpc' &&
-        ! $this->userLockingModel->isLocked($username) &&
-        $this->authenticationManager->passwordAuthentication($username, $password);
+        if ($username === 'jsonrpc') {
+            return false;
+        }
+
+        if ($this->userLockingModel->isLocked($username)) {
+            return false;
+        }
+
+        if ($this->userModel->has2FA($username)) {
+            $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized');
+            $this->authenticationManager->reset();
+            $this->authenticationManager->register(new ApiAccessTokenAuth($this->container));
+        }
+
+        return $this->authenticationManager->passwordAuthentication($username, $password);
     }
 
     /**