fix: disable basic auth on totp users

internal/handlers/handlers.go

@@ -126,6 +126,12 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	// Get user context
 	userContext := h.Hooks.UseUserContext(c)
 
+	// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
+	if userContext.Provider == "basic" && userContext.TotpEnabled {
+		log.Warn().Str("username", userContext.Username).Msg("User has totp enabled, disabling basic auth")
+		userContext.IsLoggedIn = false
+	}
+
 	// Check if user is logged in
 	if userContext.IsLoggedIn {
 		log.Debug().Msg("Authenticated")

internal/hooks/hooks.go

@@ -35,10 +35,19 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 	if basic != nil {
 		log.Debug().Msg("Got basic auth")
 
-		// Check if user exists and password is correct
+		// Get user
 		user := hooks.Auth.GetUser(basic.Username)
 
-		if user != nil && hooks.Auth.CheckPassword(*user, basic.Password) {
+		// Check we have a user
+		if user == nil {
+			log.Error().Str("username", basic.Username).Msg("User does not exist")
+
+			// Return empty context
+			return types.UserContext{}
+		}
+
+		// Check if the user has a correct password
+		if hooks.Auth.CheckPassword(*user, basic.Password) {
 			// Return user context since we are logged in with basic auth
 			return types.UserContext{
 				Username:    basic.Username,
@@ -46,6 +55,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
 				IsLoggedIn:  true,
 				Provider:    "basic",
+				TotpEnabled: user.TotpSecret != "",
 			}
 		}
 

internal/types/types.go

@@ -51,6 +51,7 @@ type UserContext struct {
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
+	TotpEnabled bool
 }
 
 // LoginAttempt tracks information about login attempts for rate limiting