Skip to content

Commit

Permalink
check admins' two-factor requirements in the disable API as well
Browse files Browse the repository at this point in the history 
Signed-off-by: Nicola Murino <[email protected]>
  • Loading branch information
@drakkan
drakkan committed Feb 22, 2024
1 parent 9a6a659 commit 76ffa10
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 0 deletions.
7 changes: 7 additions & 0 deletions internal/httpd/api_admin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,13 @@ func disableAdmin2FA(w http.ResponseWriter, r *http.Request) {
sendAPIResponse(w, r, err, "", getRespStatus(err))
return
}
if admin.Username == claims.Username {
if admin.Filters.RequireTwoFactor {
err := util.NewValidationError("two-factor authentication must be enabled")
sendAPIResponse(w, r, err, "", getRespStatus(err))
return
}
}
admin.Filters.RecoveryCodes = nil
admin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{
Enabled: false,
Expand Down
24 changes: 24 additions & 0 deletions internal/httpd/httpd_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3689,6 +3689,30 @@ func TestAdminTwoFactorRequirements(t *testing.T) {
assert.Contains(t, string(bodyResp), "two-factor authentication must be enabled")
err = resp.Body.Close()
assert.NoError(t, err)
// try to disable 2FA using the dedicated API
req, err = http.NewRequest(http.MethodPut, fmt.Sprintf("%v%v", httpBaseURL, path.Join(adminPath, altAdminUsername, "2fa", "disable")), nil)
assert.NoError(t, err)
setBearerForReq(req, token)
resp, err = httpclient.GetHTTPClient().Do(req)
assert.NoError(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
bodyResp, err = io.ReadAll(resp.Body)
assert.NoError(t, err)
assert.Contains(t, string(bodyResp), "two-factor authentication must be enabled")
err = resp.Body.Close()
assert.NoError(t, err)
// disabling 2FA using another admin should work
token, err = getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)
assert.NoError(t, err)
req, err = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername, "2fa", "disable"), nil)
assert.NoError(t, err)
setBearerForReq(req, token)
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
// check
admin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)
assert.NoError(t, err)
assert.False(t, admin.Filters.TOTPConfig.Enabled)

_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)
assert.NoError(t, err)
Expand Down

0 comments on commit 76ffa10

Please sign in to comment.