Unify two factor check (#27915) (#27939)

Backport of #27915 Fixes #27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
2025-08-09 11:08:19 +00:00 · 2023-11-06 23:06:21 +01:00
parent 4a48370d91
commit 00705da102
5 changed files with 76 additions and 66 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -315,10 +315,6 @@ func reqToken() func(ctx *context.APIContext) {
 			return
 		}

-		if ctx.IsBasicAuth {
-			ctx.CheckForOTP()
-			return
-		}
 		if ctx.IsSigned {
 			return
 		}
@@ -340,7 +336,6 @@ func reqBasicAuth() func(ctx *context.APIContext) {
 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required")
 			return
 		}
-		ctx.CheckForOTP()
 	}
 }

@@ -687,12 +682,6 @@ func bind[T any](_ T) any {
 	}
 }

-// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
-// in the session (if there is a user id stored in session other plugins might return the user
-// object for that id).
-//
-// The Session plugin is expected to be executed second, in order to skip authentication
-// for users that have already signed in.
 func buildAuthGroup() *auth.Group {
 	group := auth.NewGroup(
 		&auth.OAuth2{},