35001.patch

Go MAEDA, 2022-01-16 08:58

Download (1.88 KB)

View differences:

app/controllers/application_controller.rb
129 129
      elsif /\ABasic /i.match?(request.authorization.to_s)
130 130
        # HTTP Basic, either username/password or API key/random
131 131
        authenticate_with_http_basic do |username, password|
132
          user = User.try_to_login(username, password) || User.find_by_api_key(username)
132
          user = User.try_to_login(username, password)
133
          # Don't allow using username/password when two-factor auth is active
134
          if user&.twofa_active?
135
            render_error :message => 'HTTP Basic authentication is not allowed. Use API key instead', :status => 401
136
            return
137
          end
138

  
139
          user ||= User.find_by_api_key(username)
133 140
        end
134 141
        if user && user.must_change_password?
135 142
          render_error :message => 'You must change your password', :status => 403
test/integration/api_test/authentication_test.rb
48 48
    assert_response 401
49 49
  end
50 50

  
51
  def test_api_should_deny_http_basic_auth_if_twofa_is_active
52
    user = User.generate! do |user|
53
      user.password = 'my_password'
54
      user.update(twofa_scheme: 'totp')
55
    end
56
    get '/users/current.xml', :headers => credentials(user.login, 'my_password')
57
    assert_response 401
58
  end
59

  
51 60
  def test_api_should_accept_http_basic_auth_using_api_key
52 61
    user = User.generate!
53 62
    token = Token.create!(:user => user, :action => 'api')