Skip to content

AppAPI: allow to bypass Two-Factor #42479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 29, 2023
Merged

AppAPI: allow to bypass Two-Factor #42479

merged 1 commit into from
Dec 29, 2023
+25 −7

Conversation

bigcat88
Copy link
Member

@bigcat88 bigcat88 commented Dec 25, 2023
edited
Loading

  • Resolves: AppAPI with TwoFactor Auth enabled

Summary

AppAPI must support passing two-factor authentication so that ExApps can work in such systems.
By design they should do so.

Original issue where it was discovered(we just completely forgot about two-factor auth):
nextcloud/app_api#181

Since the context_chat was already released we should provide a fix for this situation.
Also the backport to stable28 branch is required, as this is a bug that blocks all Apps developed for AppAPI to work in most production systems.
If possible, also a backport to stable27 branch will be nice.

Ref:

Checklist

Sorry, something went wrong.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 25, 2023
View reviewed changes
core/Middleware/TwoFactorMiddleware.php
if ($this->session->exists('app_password') || $this->twoFactorManager->isTwoFactorAuthenticated($user)) {
if ($this->session->exists('app_password')
|| $this->session->exists('app_api')
|| $this->twoFactorManager->isTwoFactorAuthenticated($user)) {

Check notice

Code scanning / Psalm

PossiblyNullArgument

Argument 1 of OC\Authentication\TwoFactorAuth\Manager::isTwoFactorAuthenticated cannot be null, possibly null value provided
@bigcat88 bigcat88 changed the title AppAPI: allowed to bypass Two-Factor AppAPI: allow to bypass Two-Factor Dec 25, 2023
@AndyScherzinger AndyScherzinger requested review from sorbaugh and removed request for AndyScherzinger December 25, 2023 21:20
@bigcat88 bigcat88 added the bug label Dec 26, 2023
ChristophWurst
ChristophWurst reviewed Dec 27, 2023
View reviewed changes
@bigcat88 bigcat88 mentioned this pull request Dec 27, 2023
Merged
bigcat88 added a commit to nextcloud/app_api that referenced this pull request Dec 27, 2023
@bigcat88
docs: app_api session keys (#182)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
c60aaff 
Ref: #181
Ref: nextcloud/server#42479
ChristophWurst
ChristophWurst approved these changes Dec 27, 2023
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but didn't test

Please squash your commits into one

@juliusknorr
Copy link
Member

juliusknorr commented Dec 28, 2023
edited
Loading

CI failure seems related, please fix and squash in this PR

Time: 00:26.907, Memory: 193.03 MB

There was 1 failure:

1) Test\Authentication\TwoFactorAuth\ManagerTest::testNeedsSecondFactorSessionAuth
Expectation failed for method name is "get" when invoked 1 time(s)
Parameter 0 for invocation OCP\ISession::get('app_api') does not match expected value.
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'two_factor_auth_passed'
+'app_api'

/drone/src/lib/private/Authentication/TwoFactorAuth/Manager.php:322
/drone/src/tests/lib/Authentication/TwoFactorAuth/ManagerTest.php:640

--

@bigcat88 bigcat88 force-pushed the appapi-twofactor branch 2 times, most recently from ce4c53b to 489b816 Compare December 28, 2023 14:36
@bigcat88
AppAPI: allowed to bypass Two-Factor
26d343d 
Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
@bigcat88 bigcat88 merged commit cdc2723 into master Dec 29, 2023
@bigcat88 bigcat88 deleted the appapi-twofactor branch December 29, 2023 08:29
@bigcat88
Copy link
Member Author

/backport to stable28

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Dec 29, 2023
Merged
@bigcat88
Copy link
Member Author

/backport to stable27

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Dec 29, 2023
Merged
@blizzz blizzz mentioned this pull request Mar 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst

@andrey18106 andrey18106

@miaulalala miaulalala

@nickvergessen nickvergessen

@st3iny st3iny

@sorbaugh sorbaugh

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bigcat88 @juliusknorr @ChristophWurst @andrey18106