diff options
author | Stefan Giehl <stefan@matomo.org> | 2022-07-21 04:57:44 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-21 04:57:44 +0300 |
commit | 7f2d5ce9edbeb52ac9d6757ff91d698b9377dcc6 (patch) | |
tree | 16c0b3a0f612510aef66ea33b781a97007d3be4c /plugins/TwoFactorAuth | |
parent | 45905c0895301b7e7d810737f939f1d71cbe41f4 (diff) |
Ensure API requests with session auth check 2fa status (#19550)
Diffstat (limited to 'plugins/TwoFactorAuth')
-rw-r--r-- | plugins/TwoFactorAuth/TwoFactorAuth.php | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/plugins/TwoFactorAuth/TwoFactorAuth.php b/plugins/TwoFactorAuth/TwoFactorAuth.php index 1c70efc08f..75a0c19141 100644 --- a/plugins/TwoFactorAuth/TwoFactorAuth.php +++ b/plugins/TwoFactorAuth/TwoFactorAuth.php @@ -1,4 +1,5 @@ <?php + /** * Matomo - free/libre analytics platform * @@ -179,11 +180,16 @@ class TwoFactorAuth extends \Piwik\Plugin $twoFa = $this->getTwoFa(); $isUsing2FA = TwoFactorAuthentication::isUserUsingTwoFactorAuthentication(Piwik::getCurrentUserLogin()); - if ($isUsing2FA && !Request::isRootRequestApiRequest() && Session::isStarted()) { + if ($isUsing2FA && Session::isStarted()) { $sessionFingerprint = new SessionFingerprint(); if (!$sessionFingerprint->hasVerifiedTwoFactor()) { - $module = 'TwoFactorAuth'; - $action = 'loginTwoFactorAuth'; + if (!Request::isRootRequestApiRequest()) { + $module = 'TwoFactorAuth'; + $action = 'loginTwoFactorAuth'; + } else if (Common::getRequestVar('force_api_session', 0) == 1) { + // don't allow API requests with session auth if 2fa code hasn't been verified. + throw new Exception(Piwik::translate('General_YourSessionHasExpired')); + } } } elseif (!$isUsing2FA && $twoFa->isUserRequiredToHaveTwoFactorEnabled()) { $module = 'TwoFactorAuth'; |