beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

check admins' two-factor requirements in the disable API as well

Browse source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2024-02-22 19:05:16 +01:00
parent 9a6a65931e
commit 76ffa107dd
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
2 changed files with 31 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
internal/httpd/api_admin.go
View file

@ -100,6 +100,13 @@ func disableAdmin2FA(w http.ResponseWriter, r *http.Request) {
sendAPIResponse(w, r, err, "", getRespStatus(err))
return
}
if admin.Username == claims.Username {
if admin.Filters.RequireTwoFactor {
err := util.NewValidationError("two-factor authentication must be enabled")
sendAPIResponse(w, r, err, "", getRespStatus(err))
return
}
}
admin.Filters.RecoveryCodes = nil
admin.Filters.TOTPConfig = dataprovider.AdminTOTPConfig{
Enabled: false,

24
internal/httpd/httpd_test.go
View file

@ -3689,6 +3689,30 @@ func TestAdminTwoFactorRequirements(t *testing.T) {
assert.Contains(t, string(bodyResp), "two-factor authentication must be enabled")
err = resp.Body.Close()
assert.NoError(t, err)
// try to disable 2FA using the dedicated API
req, err = http.NewRequest(http.MethodPut, fmt.Sprintf("%v%v", httpBaseURL, path.Join(adminPath, altAdminUsername, "2fa", "disable")), nil)
assert.NoError(t, err)
setBearerForReq(req, token)
resp, err = httpclient.GetHTTPClient().Do(req)
assert.NoError(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
bodyResp, err = io.ReadAll(resp.Body)
assert.NoError(t, err)
assert.Contains(t, string(bodyResp), "two-factor authentication must be enabled")
err = resp.Body.Close()
assert.NoError(t, err)
// disabling 2FA using another admin should work
token, err = getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass)
assert.NoError(t, err)
req, err = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername, "2fa", "disable"), nil)
assert.NoError(t, err)
setBearerForReq(req, token)
rr = executeRequest(req)
checkResponseCode(t, http.StatusOK, rr)
// check
admin, _, err = httpdtest.GetAdminByUsername(altAdminUsername, http.StatusOK)
assert.NoError(t, err)
assert.False(t, admin.Filters.TOTPConfig.Enabled)
_, err = httpdtest.RemoveAdmin(admin, http.StatusOK)
assert.NoError(t, err)