summaryrefslogtreecommitdiffstats
path: root/api4
diff options
context:
space:
mode:
authorJoram Wilander <jwawilander@gmail.com>2017-05-09 07:48:57 -0500
committerGitHub <noreply@github.com>2017-05-09 07:48:57 -0500
commit202c383d8dc23ff3c0633fff99bd7da95397fe3a (patch)
treeb9f06ca4dd84a90fd53676347820898c951829ef /api4
parentfb4d72bd8a3a9b533571e42cfb1b7e2d1702f6be (diff)
downloadchat-202c383d8dc23ff3c0633fff99bd7da95397fe3a.tar.gz
chat-202c383d8dc23ff3c0633fff99bd7da95397fe3a.tar.bz2
chat-202c383d8dc23ff3c0633fff99bd7da95397fe3a.zip
Fix MFA enforcement on login and page load (#6356)
Diffstat (limited to 'api4')
-rw-r--r--api4/context.go8
-rw-r--r--api4/user.go4
2 files changed, 8 insertions, 4 deletions
diff --git a/api4/context.go b/api4/context.go
index 32db0ed7d..37af2c6d4 100644
--- a/api4/context.go
+++ b/api4/context.go
@@ -271,9 +271,13 @@ func (c *Context) MfaRequired() {
return
}
+ // Special case to let user get themself
+ if c.Path == "/api/v4/users/me" {
+ return
+ }
+
if !user.MfaActive {
- c.Err = model.NewLocAppError("", "api.context.mfa_required.app_error", nil, "MfaRequired")
- c.Err.StatusCode = http.StatusUnauthorized
+ c.Err = model.NewAppError("", "api.context.mfa_required.app_error", nil, "MfaRequired", http.StatusForbidden)
return
}
}
diff --git a/api4/user.go b/api4/user.go
index 1436808cd..d06dd2882 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -41,8 +41,8 @@ func InitUser() {
BaseRoutes.Users.Handle("/email/verify/send", ApiHandler(sendVerificationEmail)).Methods("POST")
BaseRoutes.Users.Handle("/mfa", ApiHandler(checkUserMfa)).Methods("POST")
- BaseRoutes.User.Handle("/mfa", ApiSessionRequired(updateUserMfa)).Methods("PUT")
- BaseRoutes.User.Handle("/mfa/generate", ApiSessionRequired(generateMfaSecret)).Methods("POST")
+ BaseRoutes.User.Handle("/mfa", ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT")
+ BaseRoutes.User.Handle("/mfa/generate", ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST")
BaseRoutes.Users.Handle("/login", ApiHandler(login)).Methods("POST")
BaseRoutes.Users.Handle("/login/switch", ApiHandler(switchAccountType)).Methods("POST")