Authorize only API tokens when 2FA is enabled

2019-02-01 15:40:35 -08:00 · 2019-02-01 15:40:35 -08:00 · 233fd1a8a1
parent fa08493348
commit 233fd1a8a1
4 changed files with 31 additions and 4 deletions
--- a/app/Api/Middleware/AuthenticationMiddleware.php
+++ b/app/Api/Middleware/AuthenticationMiddleware.php
@ -5,6 +5,7 @@ namespace Kanboard\Api\Middleware;
 use JsonRPC\Exception\AccessDeniedException;
 use JsonRPC\Exception\AuthenticationFailureException;
 use JsonRPC\MiddlewareInterface;
+use Kanboard\Auth\ApiAccessTokenAuth;
 use Kanboard\Core\Base;

 /**
@ -48,9 +49,21 @@ class AuthenticationMiddleware extends Base implements MiddlewareInterface
     */
    private function isUserAuthenticated($username, $password)
    {
-        return $username !== 'jsonrpc' &&
-        ! $this->userLockingModel->isLocked($username) &&
-        $this->authenticationManager->passwordAuthentication($username, $password);
+        if ($username === 'jsonrpc') {
+            return false;
+        }
+
+        if ($this->userLockingModel->isLocked($username)) {
+            return false;
+        }
+
+        if ($this->userModel->has2FA($username)) {
+            $this->logger->info('This API user ('.$username.') as 2FA enabled: only API keys are authorized');
+            $this->authenticationManager->reset();
+            $this->authenticationManager->register(new ApiAccessTokenAuth($this->container));
+        }
+
+        return $this->authenticationManager->passwordAuthentication($username, $password);
    }

    /**
--- a/app/Core/Security/AuthenticationManager.php
+++ b/app/Core/Security/AuthenticationManager.php
@ -31,6 +31,11 @@ class AuthenticationManager extends Base
     */
    private $providers = array();

+    public function reset()
+    {
+        $this->providers = [];
+    }
+
    /**
     * Register a new authentication provider
     *
--- a/app/Model/UserModel.php
+++ b/app/Model/UserModel.php
@ -38,6 +38,15 @@ class UserModel extends Base
            ->exists();
    }

+    public function has2FA($username)
+    {
+        return $this->db->table(self::TABLE)
+            ->eq('username', $username)
+            ->eq('is_active', 1)
+            ->eq('twofactor_activated', 1)
+            ->exists();
+    }
+
    /**
     * Return true if the user exists
     *
--- a/app/ServiceProvider/AuthenticationProvider.php
+++ b/app/ServiceProvider/AuthenticationProvider.php
@ -2,13 +2,13 @@

 namespace Kanboard\ServiceProvider;

-use Kanboard\Auth\ApiAccessTokenAuth;
 use Pimple\Container;
 use Pimple\ServiceProviderInterface;
 use Kanboard\Core\Security\AuthenticationManager;
 use Kanboard\Core\Security\AccessMap;
 use Kanboard\Core\Security\Authorization;
 use Kanboard\Core\Security\Role;
+use Kanboard\Auth\ApiAccessTokenAuth;
 use Kanboard\Auth\RememberMeAuth;
 use Kanboard\Auth\DatabaseAuth;
 use Kanboard\Auth\LdapAuth;