summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorFrédéric Guillot <fred@kanboard.net>2019-02-01 15:40:35 -0800
committerFrédéric Guillot <fred@kanboard.net>2019-02-01 15:40:35 -0800
commit233fd1a8a1e4da808ce34f91194a423522e5c478 (patch)
tree87f4f2be0c3bda9f958755bcfc9a71037113cb57 /app
parentfa08493348f54fae3eed64f8de4eb5893000a918 (diff)
Authorize only API tokens when 2FA is enabled
Diffstat (limited to 'app')
-rw-r--r--app/Api/Middleware/AuthenticationMiddleware.php19
-rw-r--r--app/Core/Security/AuthenticationManager.php5
-rw-r--r--app/Model/UserModel.php9
-rw-r--r--app/ServiceProvider/AuthenticationProvider.php2
4 files changed, 31 insertions, 4 deletions
diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php
index 22a3558b..b30c8865 100644
--- a/app/Api/Middleware/AuthenticationMiddleware.php
+++ b/app/Api/Middleware/AuthenticationMiddleware.php
@@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware;
use JsonRPC\Exception\AccessDeniedException;
use JsonRPC\Exception\AuthenticationFailureException;
use JsonRPC\MiddlewareInterface;
+use Kanboard\Auth\ApiAccessTokenAuth;
use Kanboard\Core\Base;
/**
@@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface
*/
private function isUserAuthenticated($username, $password)
{
- return $username !== 'jsonrpc' &&
- ! $this->userLockingModel->isLocked($username) &&
- $this->authenticationManager->passwordAuthentication($username, $password);
+ if ($username === 'jsonrpc') {
+ return false;
+ }
+
+ if ($this->userLockingModel->isLocked($username)) {
+ return false;
+ }
+
+ if ($this->userModel->has2FA($username)) {
+ $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized');
+ $this->authenticationManager->reset();
+ $this->authenticationManager->register(new ApiAccessTokenAuth($this->container));
+ }
+
+ return $this->authenticationManager->passwordAuthentication($username, $password);
}
/**
diff --git a/app/Core/Security/AuthenticationManager.php b/app/Core/Security/AuthenticationManager.php
index e7a3c8d4..05ad6485 100644
--- a/app/Core/Security/AuthenticationManager.php
+++ b/app/Core/Security/AuthenticationManager.php
@@ -31,6 +31,11 @@ class AuthenticationManager extends Base
*/
private $providers = array();
+ public function reset()
+ {
+ $this->providers = [];
+ }
+
/**
* Register a new authentication provider
*
diff --git a/app/Model/UserModel.php b/app/Model/UserModel.php
index d8db3270..32d0c888 100644
--- a/app/Model/UserModel.php
+++ b/app/Model/UserModel.php
@@ -38,6 +38,15 @@ class UserModel extends Base
->exists();
}
+ public function has2FA($username)
+ {
+ return $this->db->table(self::TABLE)
+ ->eq('username', $username)
+ ->eq('is_active', 1)
+ ->eq('twofactor_activated', 1)
+ ->exists();
+ }
+
/**
* Return true if the user exists
*
diff --git a/app/ServiceProvider/AuthenticationProvider.php b/app/ServiceProvider/AuthenticationProvider.php
index 668d6d6b..066f45e5 100644
--- a/app/ServiceProvider/AuthenticationProvider.php
+++ b/app/ServiceProvider/AuthenticationProvider.php
@@ -2,13 +2,13 @@
namespace Kanboard\ServiceProvider;
-use Kanboard\Auth\ApiAccessTokenAuth;
use Pimple\Container;
use Pimple\ServiceProviderInterface;
use Kanboard\Core\Security\AuthenticationManager;
use Kanboard\Core\Security\AccessMap;
use Kanboard\Core\Security\Authorization;
use Kanboard\Core\Security\Role;
+use Kanboard\Auth\ApiAccessTokenAuth;
use Kanboard\Auth\RememberMeAuth;
use Kanboard\Auth\DatabaseAuth;
use Kanboard\Auth\LdapAuth;