summaryrefslogtreecommitdiff
path: root/app/Api
diff options
context:
space:
mode:
authorFrédéric Guillot <fred@kanboard.net>2019-02-01 15:40:35 -0800
committerFrédéric Guillot <fred@kanboard.net>2019-02-01 15:40:35 -0800
commit233fd1a8a1e4da808ce34f91194a423522e5c478 (patch)
tree87f4f2be0c3bda9f958755bcfc9a71037113cb57 /app/Api
parentfa08493348f54fae3eed64f8de4eb5893000a918 (diff)
Authorize only API tokens when 2FA is enabled
Diffstat (limited to 'app/Api')
-rw-r--r--app/Api/Middleware/AuthenticationMiddleware.php19
1 files changed, 16 insertions, 3 deletions
diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php
index 22a3558b..b30c8865 100644
--- a/app/Api/Middleware/AuthenticationMiddleware.php
+++ b/app/Api/Middleware/AuthenticationMiddleware.php
@@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware;
use JsonRPC\Exception\AccessDeniedException;
use JsonRPC\Exception\AuthenticationFailureException;
use JsonRPC\MiddlewareInterface;
+use Kanboard\Auth\ApiAccessTokenAuth;
use Kanboard\Core\Base;
/**
@@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface
*/
private function isUserAuthenticated($username, $password)
{
- return $username !== 'jsonrpc' &&
- ! $this->userLockingModel->isLocked($username) &&
- $this->authenticationManager->passwordAuthentication($username, $password);
+ if ($username === 'jsonrpc') {
+ return false;
+ }
+
+ if ($this->userLockingModel->isLocked($username)) {
+ return false;
+ }
+
+ if ($this->userModel->has2FA($username)) {
+ $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized');
+ $this->authenticationManager->reset();
+ $this->authenticationManager->register(new ApiAccessTokenAuth($this->container));
+ }
+
+ return $this->authenticationManager->passwordAuthentication($username, $password);
}
/**