diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-08-19 02:00:54 +0300 |
|---|---|---|
| committer | Ruben Davila <rdavila84@gmail.com> | 2016-08-19 02:55:57 +0300 |
| commit | 220755f52ad6e3fdfa43c62e0a4a4051721246dc (patch) | |
| tree | af4ae1457212df827dc142fef4f1f0877be69888 /lib | |
| parent | 0ff39331a2fa486ea53968aa85e763d6c1b2c5dd (diff) | |
Merge branch '2fa-api-check' into 'master'
2FA checks for API workflows
## What does this MR do?
It adds a check to the API `/session` endpoint that will deny authentication requests to users that have 2FA enabled. In the error message it will instruct them to use a Personal Access Token instead.
It adds a check to the `/oauth/token` endpoint, when `grant_type: 'password'` is used, so that no OAuth2 access token can be generated if the user has 2FA enabled. This endpoint should not be used by OAuth applications, anyway. OAuth apps should follow the flow of redirecting the user to GitLab, where 2FA access restrictions apply and logging them in there. Once successfully authenticated, the OAuth token is passed to the client.
## Why was this MR needed?
No 2FA check on API endpoints.
## What are the relevant issue numbers?
Fixes #2979
See merge request !5820
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/session.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/api/session.rb b/lib/api/session.rb index 56c202f1294..55ec66a6d67 100644 --- a/lib/api/session.rb +++ b/lib/api/session.rb @@ -14,6 +14,7 @@ module API user = Gitlab::Auth.find_with_user_password(params[:email] || params[:login], params[:password]) return unauthorized! unless user + return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled? present user, with: Entities::UserLogin end end |