WebClient: enforce 2fa and password requirements also with OIDC
Some checks failed
Code scanning - action / CodeQL-Build (push) Has been cancelled
CI / Test and deploy (push) Has been cancelled
CI / Test build flags (push) Has been cancelled
CI / Test with PgSQL/MySQL/Cockroach (push) Has been cancelled
CI / Build Linux packages (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
Docker / Build (push) Has been cancelled

password and 2fa can be used with other protocols

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2024-10-21 20:40:44 +02:00
parent 7e7005f5b3
commit 8d697bcc94
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
3 changed files with 31 additions and 17 deletions

View file

@ -222,6 +222,9 @@ type oidcToken struct {
Username string `json:"username"` Username string `json:"username"`
Permissions []string `json:"permissions"` Permissions []string `json:"permissions"`
HideUserPageSections int `json:"hide_user_page_sections,omitempty"` HideUserPageSections int `json:"hide_user_page_sections,omitempty"`
MustSetTwoFactorAuth bool `json:"must_set_2fa,omitempty"`
MustChangePassword bool `json:"must_change_password,omitempty"`
RequiredTwoFactorProtocols []string `json:"required_two_factor_protocols,omitempty"`
TokenRole string `json:"token_role,omitempty"` // SFTPGo role name TokenRole string `json:"token_role,omitempty"` // SFTPGo role name
Role any `json:"role"` // oidc user role: SFTPGo user or admin Role any `json:"role"` // oidc user role: SFTPGo user or admin
CustomFields *map[string]any `json:"custom_fields,omitempty"` CustomFields *map[string]any `json:"custom_fields,omitempty"`
@ -399,6 +402,9 @@ func (t *oidcToken) refreshUser(r *http.Request) error {
} }
t.Permissions = user.Filters.WebClient t.Permissions = user.Filters.WebClient
t.TokenRole = user.Role t.TokenRole = user.Role
t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
t.MustChangePassword = user.MustChangePassword()
t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
return nil return nil
} }
@ -470,6 +476,9 @@ func (t *oidcToken) getUser(r *http.Request) error {
dataprovider.UpdateLastLogin(user) dataprovider.UpdateLastLogin(user)
t.Permissions = user.Filters.WebClient t.Permissions = user.Filters.WebClient
t.TokenRole = user.Role t.TokenRole = user.Role
t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
t.MustChangePassword = user.MustChangePassword()
t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
return nil return nil
} }
@ -550,6 +559,11 @@ func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next h
Role: token.TokenRole, Role: token.TokenRole,
HideUserPageSections: token.HideUserPageSections, HideUserPageSections: token.HideUserPageSections,
} }
if audience == tokenAudienceWebClient {
jwtTokenClaims.MustSetTwoFactorAuth = token.MustSetTwoFactorAuth
jwtTokenClaims.MustChangePassword = token.MustChangePassword
jwtTokenClaims.RequiredTwoFactorProtocols = token.RequiredTwoFactorProtocols
}
_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr)) _, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))
if err != nil { if err != nil {
setFlashMessage(w, r, newFlashMessage("Unable to create cookie", util.I18nError500Message)) setFlashMessage(w, r, newFlashMessage("Unable to create cookie", util.I18nError500Message))

View file

@ -427,7 +427,7 @@
"save_err": "Failed to save two-factor authentication configuration", "save_err": "Failed to save two-factor authentication configuration",
"auth_code_required": "The authentication code is required", "auth_code_required": "The authentication code is required",
"no_protocol": "Please select at least a protocol", "no_protocol": "Please select at least a protocol",
"required_protocols": "Unable to disable two-factor authentication. The security policy configured for your account requires two-factor authentication for the following protocols: {{val}}", "required_protocols": "The security policy configured for your account requires two-factor authentication for the following protocols: {{val}}",
"recovery_codes_generate": "Generate new recovery codes", "recovery_codes_generate": "Generate new recovery codes",
"recovery_codes_view": "View recovery codes" "recovery_codes_view": "View recovery codes"
}, },

View file

@ -427,7 +427,7 @@
"save_err": "Impossibile salvare la configurazione dell'autenticazione a due fattori", "save_err": "Impossibile salvare la configurazione dell'autenticazione a due fattori",
"auth_code_required": "Il codice di autenticazione è obbligatorio", "auth_code_required": "Il codice di autenticazione è obbligatorio",
"no_protocol": "Seleziona almeno un protocollo", "no_protocol": "Seleziona almeno un protocollo",
"required_protocols": "Impossibile disabilitare l'autenticazione a due fattori. La politica di sicurezza configurata per il tuo account richiede l'autenticazione a due fattori per i seguenti protocolli: {{val}}", "required_protocols": "La politica di sicurezza configurata per il tuo account richiede l'autenticazione a due fattori per i seguenti protocolli: {{val}}",
"recovery_codes_generate": "Genera nuovi codici di ripristino", "recovery_codes_generate": "Genera nuovi codici di ripristino",
"recovery_codes_view": "Visualizza codici di ripristino" "recovery_codes_view": "Visualizza codici di ripristino"
}, },