From 76ffa107ddcec2cbe98cd5e9b1eb0a3f573cf99b Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Thu, 22 Feb 2024 19:05:16 +0100
Subject: [PATCH] check admins' two-factor requirements in the disable API as
 well

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 internal/httpd/api_admin.go  |  7 +++++++
 internal/httpd/httpd_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/internal/httpd/api_admin.go b/internal/httpd/api_admin.go
index b958478a..feb2a4d8 100644
--- a/internal/httpd/api_admin.go
+++ b/internal/httpd/api_admin.go
@@ -100,6 +100,13 @@ func disableAdmin2FA(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
+	if admin.Username == claims.Username {
+		if admin.Filters.RequireTwoFactor {
+			err := util.NewValidationError("two-factor authentication must be enabled")
+			sendAPIResponse(w, r, err, "", getRespStatus(err))
+			return
+		}
+	}
 	admin.Filters.RecoveryCodes = nil
 	admin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{
 		Enabled: false,
diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go
index 04cc7335..333ca00f 100644
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
@@ -3689,6 +3689,30 @@ func TestAdminTwoFactorRequirements(t *testing.T) {
 	assert.Contains(t, string(bodyResp), "two-factor authentication must be enabled")
 	err = resp.Body.Close()
 	assert.NoError(t, err)
+	// try to disable 2FA using the dedicated API
+	req, err = http.NewRequest(http.MethodPut, fmt.Sprintf("%v%v", httpBaseURL, path.Join(adminPath, altAdminUsername, "2fa", "disable")), nil)
+	assert.NoError(t, err)
+	setBearerForReq(req, token)
+	resp, err = httpclient.GetHTTPClient().Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	bodyResp, err = io.ReadAll(resp.Body)
+	assert.NoError(t, err)
+	assert.Contains(t, string(bodyResp), "two-factor authentication must be enabled")
+	err = resp.Body.Close()
+	assert.NoError(t, err)
+	// disabling 2FA using another admin should work
+	token, err = getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)
+	assert.NoError(t, err)
+	req, err = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername, "2fa", "disable"), nil)
+	assert.NoError(t, err)
+	setBearerForReq(req, token)
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusOK, rr)
+	// check
+	admin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)
+	assert.NoError(t, err)
+	assert.False(t, admin.Filters.TOTPConfig.Enabled)
 
 	_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)
 	assert.NoError(t, err)