fix: disable basic auth on totp users

2025-10-28 04:35:40 +00:00 · 2025-05-01 13:05:48 +03:00
parent aab01b3195
commit 83483d6374
3 changed files with 24 additions and 7 deletions
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -126,6 +126,12 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	// Get user context
 	userContext := h.Hooks.UseUserContext(c)

+	// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
+	if userContext.Provider == "basic" && userContext.TotpEnabled {
+		log.Warn().Str("username", userContext.Username).Msg("User has totp enabled, disabling basic auth")
+		userContext.IsLoggedIn = false
+	}
+
 	// Check if user is logged in
 	if userContext.IsLoggedIn {
 		log.Debug().Msg("Authenticated")
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -35,17 +35,27 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 	if basic != nil {
 		log.Debug().Msg("Got basic auth")

-		// Check if user exists and password is correct
+		// Get user
 		user := hooks.Auth.GetUser(basic.Username)

-		if user != nil && hooks.Auth.CheckPassword(*user, basic.Password) {
+		// Check we have a user
+		if user == nil {
+			log.Error().Str("username", basic.Username).Msg("User does not exist")
+
+			// Return empty context
+			return types.UserContext{}
+		}
+
+		// Check if the user has a correct password
+		if hooks.Auth.CheckPassword(*user, basic.Password) {
 			// Return user context since we are logged in with basic auth
 			return types.UserContext{
-				Username:   basic.Username,
-				Name:       utils.Capitalize(basic.Username),
-				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
-				IsLoggedIn: true,
-				Provider:   "basic",
+				Username:    basic.Username,
+				Name:        utils.Capitalize(basic.Username),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
+				IsLoggedIn:  true,
+				Provider:    "basic",
+				TotpEnabled: user.TotpSecret != "",
 			}
 		}

--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -51,6 +51,7 @@ type UserContext struct {
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
+	TotpEnabled bool
 }

 // LoginAttempt tracks information about login attempts for rate limiting