Commit 9b8e1392 authored by ale's avatar ale

Add the "has_otp" attribute to the user type

parent d5aabe73
Pipeline #1152 passed with stages
in 1 minute and 38 seconds
......@@ -177,6 +177,8 @@ type PasswordRecoveryResponse struct {
// RecoverPassword lets users reset their password by providing
// secondary credentials, which we authenticate ourselves.
//
// Two-factor authentication is disabled on successful recovery.
//
// TODO: call out to auth-server for secondary authentication?
func (s *AccountService) RecoverPassword(ctx context.Context, tx TX, req *PasswordRecoveryRequest) (*PasswordRecoveryResponse, error) {
user, err := getUserOrDie(ctx, tx, req.Username)
......@@ -208,6 +210,7 @@ func (s *AccountService) RecoverPassword(ctx context.Context, tx TX, req *Passwo
if err := s.changeUserPasswordAndUpdateEncryptionKeys(ctx, tx, user, req.RecoveryPassword, req.Password); err != nil {
return err
}
// Disable 2FA.
return s.disable2FA(ctx, tx, user)
})
......
......@@ -128,12 +128,11 @@ func newUser(entry *ldap.Entry) (*accountserver.User, error) {
UID: uidNumber,
PasswordRecoveryHint: entry.GetAttributeValue(recoveryHintLDAPAttr),
U2FRegistrations: decodeU2FRegistrations(entry.GetAttributeValues(u2fRegistrationsLDAPAttr)),
HasOTP: entry.GetAttributeValue(totpSecretLDAPAttr) != "",
}
// The user has 2FA enabled if it has a TOTP secret or U2F keys.
if (entry.GetAttributeValue(totpSecretLDAPAttr) != "") || (len(user.U2FRegistrations) > 0) {
user.Has2FA = true
}
user.Has2FA = (user.HasOTP || (len(user.U2FRegistrations) > 0))
if user.Lang == "" {
user.Lang = "en"
......
......@@ -30,13 +30,23 @@ type User struct {
// UNIX user id.
UID int `json:"uid"`
Has2FA bool `json:"has_2fa"`
HasEncryptionKeys bool `json:"has_encryption_keys"`
// Has2FA is true if the user has a second-factor authentication
// mechanism properly set up. In practice, this is the case if either
// HasOTP is true, or len(U2FRegistrations) > 0.
Has2FA bool `json:"has_2fa"`
// HasOTP is true if TOTP is set up.
HasOTP bool `json:"has_otp"`
// HasEncryptionKeys is true if encryption keys are properly set up for
// this user. TODO: consider disabling it.
HasEncryptionKeys bool `json:"has_encryption_keys"`
PasswordRecoveryHint string `json:"password_recovery_hint"`
AppSpecificPasswords []*AppSpecificPasswordInfo `json:"app_specific_passwords,omitempty"`
U2FRegistrations []*u2f.Registration `json:"u2f_registrations"`
U2FRegistrations []*u2f.Registration `json:"u2f_registrations,omitempty"`
Resources []*Resource `json:"resources,omitempty"`
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment