From 83483d63740c67be043f7609a0f3dbe1c881e23e Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Thu, 1 May 2025 13:05:48 +0300
Subject: [PATCH] fix: disable basic auth on totp users

---
 internal/handlers/handlers.go |  6 ++++++
 internal/hooks/hooks.go       | 24 +++++++++++++++++-------
 internal/types/types.go       |  1 +
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 31418f6..881b5d6 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -126,6 +126,12 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	// Get user context
 	userContext := h.Hooks.UseUserContext(c)
 
+	// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
+	if userContext.Provider == "basic" && userContext.TotpEnabled {
+		log.Warn().Str("username", userContext.Username).Msg("User has totp enabled, disabling basic auth")
+		userContext.IsLoggedIn = false
+	}
+
 	// Check if user is logged in
 	if userContext.IsLoggedIn {
 		log.Debug().Msg("Authenticated")
diff --git a/internal/hooks/hooks.go b/internal/hooks/hooks.go
index 876e93f..6b72591 100644
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -35,17 +35,27 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 	if basic != nil {
 		log.Debug().Msg("Got basic auth")
 
-		// Check if user exists and password is correct
+		// Get user
 		user := hooks.Auth.GetUser(basic.Username)
 
-		if user != nil && hooks.Auth.CheckPassword(*user, basic.Password) {
+		// Check we have a user
+		if user == nil {
+			log.Error().Str("username", basic.Username).Msg("User does not exist")
+
+			// Return empty context
+			return types.UserContext{}
+		}
+
+		// Check if the user has a correct password
+		if hooks.Auth.CheckPassword(*user, basic.Password) {
 			// Return user context since we are logged in with basic auth
 			return types.UserContext{
-				Username:   basic.Username,
-				Name:       utils.Capitalize(basic.Username),
-				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
-				IsLoggedIn: true,
-				Provider:   "basic",
+				Username:    basic.Username,
+				Name:        utils.Capitalize(basic.Username),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
+				IsLoggedIn:  true,
+				Provider:    "basic",
+				TotpEnabled: user.TotpSecret != "",
 			}
 		}
 
diff --git a/internal/types/types.go b/internal/types/types.go
index 2b1de64..d51e0d0 100644
--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -51,6 +51,7 @@ type UserContext struct {
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
+	TotpEnabled bool
 }
 
 // LoginAttempt tracks information about login attempts for rate limiting