diff options
| author | Byron Jones <glob@mozilla.com> | 2015-09-01 07:01:20 +0200 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2015-09-01 07:01:20 +0200 |
| commit | 421ff7f194875db9634ea783d9dd5b6111f19df3 (patch) | |
| tree | 5806e9f3001fa4f33ba85aa94856b70a7f878cf8 /Bugzilla/Auth | |
| parent | bcc93f83a64a76cd73501eaefaf5fd073fbc3f0d (diff) | |
| download | bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.gz bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.xz | |
Bug 1197073 - add support for 2fa using totp (eg. google authenticator)
Diffstat (limited to 'Bugzilla/Auth')
| -rw-r--r-- | Bugzilla/Auth/Login/Cookie.pm | 12 | ||||
| -rw-r--r-- | Bugzilla/Auth/Verify/DB.pm | 11 |
2 files changed, 22 insertions, 1 deletions
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 738d26b21..0b5842523 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -40,7 +40,7 @@ sub get_login_info { my ($self) = @_; my $cgi = Bugzilla->cgi; my $dbh = Bugzilla->dbh; - my ($user_id, $login_cookie); + my ($user_id, $login_cookie, $is_internal); if (!Bugzilla->request_cache->{auth_no_automatic_login}) { $login_cookie = $cgi->cookie("Bugzilla_logincookie"); @@ -82,6 +82,7 @@ sub get_login_info { { ThrowUserError('auth_invalid_token', { token => $api_token }); } + $is_internal = 1; } } } @@ -112,6 +113,15 @@ sub get_login_info { # If the cookie is valid, return a valid username. if (defined $db_cookie && $login_cookie eq $db_cookie) { + + # forbid logging in with a cookie if only api-keys are allowed + if (i_am_webservice() && !$is_internal) { + my $user = Bugzilla::User->new({ id => $user_id, cache => 1 }); + if ($user->settings->{api_key_only}->{value} eq 'on') { + ThrowUserError('invalid_cookies_or_token'); + } + } + # If we logged in successfully, then update the lastused # time on the login cookie $dbh->do("UPDATE logincookies SET lastused = NOW() diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm index aaa1b6c87..ea86346e1 100644 --- a/Bugzilla/Auth/Verify/DB.pm +++ b/Bugzilla/Auth/Verify/DB.pm @@ -53,6 +53,7 @@ sub check_credentials { } my $password = $login_data->{password}; + return { failure => AUTH_NODATA } unless defined $login_data->{password}; my $real_password_crypted = $user->cryptpassword; # Using the internal crypted password as the salt, @@ -105,6 +106,16 @@ sub check_credentials { $user->update(); } + if (i_am_webservice() && $user->settings->{api_key_only}->{value} eq 'on') { + # api-key verification happens in Auth/Login/APIKey + # token verification happens in Auth/Login/Cookie + # if we get here from an api call then we must be using user/pass + return { + failure => AUTH_ERROR, + user_error => 'invalid_auth_method', + }; + } + return $login_data; } |