Browse Source

Enforce app passwords in API for users with two-factor enabled

master
Skylar Ittner 9 months ago
parent
commit
3ca062d995
2 changed files with 17 additions and 17 deletions
  1. 13
    15
      api/functions.php
  2. 4
    2
      lib/User.lib.php

+ 13
- 15
api/functions.php View File

@@ -55,24 +55,22 @@ function authenticate(): bool {
global $VARS;
// HTTP basic auth
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
$user = User::byUsername($_SERVER['PHP_AUTH_USER']);
if (!$user->checkPassword($_SERVER['PHP_AUTH_PW'])) {
return false;
}
return true;
}
// Form auth
if (empty($VARS['username']) || empty($VARS['password'])) {
return false;
} else {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
} else if (!empty($VARS['username']) && !empty($VARS['password'])) {
$username = $VARS['username'];
$password = $VARS['password'];
$user = User::byUsername($username);
if ($user->exists() !== true || Login::auth($username, $password) !== Login::LOGIN_OK) {
return false;
}
} else {
return false;
}
$user = User::byUsername($username);
if (!$user->exists()) {
return false;
}
if ($user->checkPassword($password, true)) {
return true;
}
return true;
return false;
}

/**

+ 4
- 2
lib/User.lib.php View File

@@ -88,10 +88,11 @@ class User {
/**
* Check the given plaintext password against the stored hash.
* @param string $password
* @param bool $apppass Set to true to enforce app passwords when 2fa is on.
* @return bool
*/
function checkPassword(string $password): bool {
$resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password]);
function checkPassword(string $password, bool $apppass = false): bool {
$resp = AccountHubApi::get("auth", ['username' => $this->username, 'password' => $password, 'apppass' => ($apppass ? "1" : "0")]);
if ($resp['status'] == "OK") {
return true;
} else {
@@ -99,6 +100,7 @@ class User {
}
}


function check2fa(string $code): bool {
if (!$this->has2fa) {
return true;

Loading…
Cancel
Save