Page MenuHomePhorge
Files F125410968

D5886.1779458841.diff
No OneTemporary
Actions

Authored By
Unknown
Size
2 KB
Referenced Files
None
Subscribers
None

D5886.1779458841.diff
View Options

diff --git a/src/app/Auth/SecondFactor.php b/src/app/Auth/SecondFactor.php
--- a/src/app/Auth/SecondFactor.php
+++ b/src/app/Auth/SecondFactor.php
@@ -34,6 +34,18 @@
parent::__construct();
}
+ /**
+ * Check if a second factor is available
+ *
+ * @param string $secondfactor the 2-factor authentication code
+ *
+ * @returns bool true when active
+ */
+ public function isActive(): bool
+ {
+ return !empty($this->factors());
+ }
+
/**
* Validate 2-factor authentication code
*
diff --git a/src/app/User.php b/src/app/User.php
--- a/src/app/User.php
+++ b/src/app/User.php
@@ -907,7 +907,7 @@
*
* @return array ['user', 'reason', 'errorMessage']
*/
- public static function findAndAuthenticate($username, $password, $clientIP = null, $withChecks = true): array
+ public static function findAndAuthenticate($username, $password, $clientIP = null, $withChecks = true, $scope = null): array
{
$error = null;
@@ -927,11 +927,27 @@
$error = AuthAttempt::REASON_PASSWORD;
}
} else {
+ // We take this path for non-token (username/password) authentication.
+ // Normally need to check the second factor, with some specific exceptions
+ // for service accounts and "config" scope tokens which are used to obtain the second factor.
+ // For all external clients (imap/smtp/activesync/dav) 2fa will break authentication once enabled.
+ // The fix for that are application passwords which should be long living tokens, and would thus not end up
+ // in this code-path.
+
if ($user->role == self::ROLE_SERVICE) {
$withChecks = false;
+ } else if ($scope == "config") {
+ $withChecks = false;
+ } else {
+ if ((new SecondFactor($user))->isActive()) {
+ $withChecks = false;
+ $error = AuthAttempt::REASON_2FA_GENERIC;
+ $message = "Not available with 2fa configured";
+ }
}
- if (!$withChecks) {
+ // We only try the cache if we don't run into the 2fa check above.
+ if (!$withChecks && !$error) {
$cacheId = hash('sha256', "{$user->id}-{$password}");
// Skip the slow password verification for cases where we also don't verify mfa.
// We rely on this for fast cyrus-sasl authentication.
@@ -1018,7 +1034,7 @@
$verifyMFA = false;
}
- $result = self::findAndAuthenticate($username, $password, null, $verifyMFA);
+ $result = self::findAndAuthenticate($username, $password, null, $verifyMFA, $scope);
if (isset($result['reason'])) {
switch ($result['reason']) {

File Metadata

Mime Type
text/plain
Expires
Fri, May 22, 2:07 PM (19 h, 41 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
18929875
Default Alt Text
D5886.1779458841.diff (2 KB)

Event Timeline