Browse Source

Enforce app passwords in API for users with two-factor enabled

Skylar Ittner 1 month ago
parent
commit
3ca062d995
2 changed files with 17 additions and 17 deletions
  1. 13
    15
      api/functions.php
  2. 4
    2
      lib/User.lib.php

+ 13
- 15
api/functions.php View File

@@ -55,24 +55,22 @@ function authenticate(): bool {
55 55
     global $VARS;
56 56
     // HTTP basic auth
57 57
     if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
58
-        $user = User::byUsername($_SERVER['PHP_AUTH_USER']);
59
-        if (!$user->checkPassword($_SERVER['PHP_AUTH_PW'])) {
60
-            return false;
61
-        }
62
-        return true;
63
-    }
64
-    // Form auth
65
-    if (empty($VARS['username']) || empty($VARS['password'])) {
66
-        return false;
67
-    } else {
58
+        $username = $_SERVER['PHP_AUTH_USER'];
59
+        $password = $_SERVER['PHP_AUTH_PW'];
60
+    } else if (!empty($VARS['username']) && !empty($VARS['password'])) {
68 61
         $username = $VARS['username'];
69 62
         $password = $VARS['password'];
70
-        $user = User::byUsername($username);
71
-        if ($user->exists() !== true || Login::auth($username, $password) !== Login::LOGIN_OK) {
72
-            return false;
73
-        }
63
+    } else {
64
+        return false;
65
+    }
66
+    $user = User::byUsername($username);
67
+    if (!$user->exists()) {
68
+        return false;
69
+    }
70
+    if ($user->checkPassword($password, true)) {
71
+        return true;
74 72
     }
75
-    return true;
73
+    return false;
76 74
 }
77 75
 
78 76
 /**

+ 4
- 2
lib/User.lib.php View File

@@ -88,10 +88,11 @@ class User {
88 88
     /**
89 89
      * Check the given plaintext password against the stored hash.
90 90
      * @param string $password
91
+     * @param bool $apppass Set to true to enforce app passwords when 2fa is on.
91 92
      * @return bool
92 93
      */
93
-    function checkPassword(string $password): bool {
94
-        $resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password]);
94
+    function checkPassword(string $password, bool $apppass = false): bool {
95
+        $resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password, 'apppass' => ($apppass ? "1" : "0")]);
95 96
         if ($resp['status'] == "OK") {
96 97
             return true;
97 98
         } else {
@@ -99,6 +100,7 @@ class User {
99 100
         }
100 101
     }
101 102
 
103
+
102 104
     function check2fa(string $code): bool {
103 105
         if (!$this->has2fa) {
104 106
             return true;

Loading…
Cancel
Save