From 233fd1a8a1e4da808ce34f91194a423522e5c478 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Fri, 1 Feb 2019 15:40:35 -0800
Subject: Authorize only API tokens when 2FA is enabled

---
 app/Api/Middleware/AuthenticationMiddleware.php | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'app/Api/Middleware/AuthenticationMiddleware.php')

diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php
index 22a3558b..b30c8865 100644
--- a/app/Api/Middleware/AuthenticationMiddleware.php
+++ b/app/Api/Middleware/AuthenticationMiddleware.php
@@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware;
 use JsonRPC\Exception\AccessDeniedException;
 use JsonRPC\Exception\AuthenticationFailureException;
 use JsonRPC\MiddlewareInterface;
+use Kanboard\Auth\ApiAccessTokenAuth;
 use Kanboard\Core\Base;
 
 /**
@@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface
      */
     private function isUserAuthenticated($username, $password)
     {
-        return $username !== 'jsonrpc' &&
-        ! $this->userLockingModel->isLocked($username) &&
-        $this->authenticationManager->passwordAuthentication($username, $password);
+        if ($username === 'jsonrpc') {
+            return false;
+        }
+
+        if ($this->userLockingModel->isLocked($username)) {
+            return false;
+        }
+
+        if ($this->userModel->has2FA($username)) {
+            $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized');
+            $this->authenticationManager->reset();
+            $this->authenticationManager->register(new ApiAccessTokenAuth($this->container));
+        }
+
+        return $this->authenticationManager->passwordAuthentication($username, $password);
     }
 
     /**
-- 
cgit v1.2.3