diff options
author | Frédéric Guillot <fred@kanboard.net> | 2019-02-01 15:40:35 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@kanboard.net> | 2019-02-01 15:40:35 -0800 |
commit | 233fd1a8a1e4da808ce34f91194a423522e5c478 (patch) | |
tree | 87f4f2be0c3bda9f958755bcfc9a71037113cb57 /app/Api | |
parent | fa08493348f54fae3eed64f8de4eb5893000a918 (diff) |
Authorize only API tokens when 2FA is enabled
Diffstat (limited to 'app/Api')
-rw-r--r-- | app/Api/Middleware/AuthenticationMiddleware.php | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php index 22a3558b..b30c8865 100644 --- a/app/Api/Middleware/AuthenticationMiddleware.php +++ b/app/Api/Middleware/AuthenticationMiddleware.php @@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware; use JsonRPC\Exception\AccessDeniedException; use JsonRPC\Exception\AuthenticationFailureException; use JsonRPC\MiddlewareInterface; +use Kanboard\Auth\ApiAccessTokenAuth; use Kanboard\Core\Base; /** @@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface */ private function isUserAuthenticated($username, $password) { - return $username !== 'jsonrpc' && - ! $this->userLockingModel->isLocked($username) && - $this->authenticationManager->passwordAuthentication($username, $password); + if ($username === 'jsonrpc') { + return false; + } + + if ($this->userLockingModel->isLocked($username)) { + return false; + } + + if ($this->userModel->has2FA($username)) { + $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized'); + $this->authenticationManager->reset(); + $this->authenticationManager->register(new ApiAccessTokenAuth($this->container)); + } + + return $this->authenticationManager->passwordAuthentication($username, $password); } /** |