-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only allow token authentication with 2FA enabled #2184
Conversation
routers/repo/http.go
Outdated
} else { | ||
_, err = models.GetTwoFactorByUID(authUser.ID) | ||
|
||
if err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to also check that if !models.IsErrTwoFactorNotEnrolled(err)
and do ctx.Handle(http.StatusInternalServerError, "IsErrTwoFactorNotEnrolled", err) + return
otherwise if there is some kind of unexpected error you will let user in and it will bypass 2fa
routers/repo/http.go
Outdated
token, err := models.GetAccessTokenBySHA(authUsername) | ||
if authUser == nil { | ||
// Assume password is a token. | ||
token, err := models.GetAccessTokenBySHA(authPasswd) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to also check if user models.GetUserByName(authUsername)
returns correct user and validate that returned user.ID is equal to token.UID
@lafriks I refactored the routine according to your suggestions 👍 |
routers/repo/http.go
Outdated
@@ -167,13 +180,33 @@ func HTTP(ctx *context.Context) { | |||
} | |||
return | |||
} | |||
|
|||
tokenUser, err := models.GetUserByID(token.UID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to get user by ID, you can just compare authUser.ID != token.UID
on line 190
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True!
routers/repo/http.go
Outdated
if err != nil { | ||
ctx.Handle(http.StatusInternalServerError, "GetUserByID", err) | ||
if !models.IsErrTwoFactorNotEnrolled(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think better structure for this code would be:
if err == nil {
ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")
return
} else if !models.IsErrTwoFactorNotEnrolled(err) {
ctx.Handle(http.StatusInternalServerError, "IsErrTwoFactorNotEnrolled", err)
return
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, indeed
@moritzheiber few more optimizations needed and than from me it would be LG-TM |
…tor authentication
@lafriks Should be all there now |
LGTM |
@moritzheiber I have tested and works as expected only thing that I found that does not match GitHub behaviour is that when 2FA is enabled it returns |
@lafriks The only grievance I'd have with that is that within Gitea that's completely undocumented. Nothing on the two-factor authentication page tells you that you need to create an application token in order to login while having 2FA enabled: This is probably going to confuse a lot of people. I know the response is probably the wrong time and place of conveying this, but as of right now it's the only one. |
Maybe than add todo comment that later for security reasons response should be changed to |
@lafriks Done. |
LGTM |
LGTM |
make CI work |
Fixes #1394
Previously, when a user had 2FA enabled they were still able to authenticate via HTTP(S) using their regular username and password. This PR makes token authentication mandatory for accounts with 2FA enabled.