summaryrefslogtreecommitdiffstats
path: root/api/context.go
diff options
context:
space:
mode:
Diffstat (limited to 'api/context.go')
-rw-r--r--api/context.go66
1 files changed, 54 insertions, 12 deletions
diff --git a/api/context.go b/api/context.go
index 4c2e9d489..1e82acb68 100644
--- a/api/context.go
+++ b/api/context.go
@@ -47,51 +47,55 @@ type Context struct {
}
func ApiAppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, false, false, true, false, false, false}
+ return &handler{h, false, false, true, false, false, false, false}
}
func AppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, false, false, false, false, false, false}
+ return &handler{h, false, false, false, false, false, false, false}
}
func AppHandlerIndependent(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, false, false, false, false, true, false}
+ return &handler{h, false, false, false, false, true, false, false}
}
func ApiUserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, true, false, true, false, false, false}
+ return &handler{h, true, false, true, false, false, false, true}
}
func ApiUserRequiredActivity(h func(*Context, http.ResponseWriter, *http.Request), isUserActivity bool) http.Handler {
- return &handler{h, true, false, true, isUserActivity, false, false}
+ return &handler{h, true, false, true, isUserActivity, false, false, true}
+}
+
+func ApiUserRequiredMfa(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
+ return &handler{h, true, false, true, false, false, false, false}
}
func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, true, false, false, false, false, false}
+ return &handler{h, true, false, false, false, false, false, true}
}
func AppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, false, false, false, false, false, true}
+ return &handler{h, false, false, false, false, false, true, false}
}
func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, true, true, true, false, false, false}
+ return &handler{h, true, true, true, false, false, false, true}
}
func ApiAdminSystemRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, true, true, true, false, false, true}
+ return &handler{h, true, true, true, false, false, true, true}
}
func ApiAppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, false, false, true, false, false, true}
+ return &handler{h, false, false, true, false, false, true, false}
}
func ApiUserRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, true, false, true, false, false, true}
+ return &handler{h, true, false, true, false, false, true, true}
}
func ApiAppHandlerTrustRequesterIndependent(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
- return &handler{h, false, false, true, false, true, true}
+ return &handler{h, false, false, true, false, true, true, false}
}
type handler struct {
@@ -102,6 +106,7 @@ type handler struct {
isUserActivity bool
isTeamIndependent bool
trustRequester bool
+ requireMfa bool
}
func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -204,6 +209,10 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
c.UserRequired()
}
+ if c.Err == nil && h.requireMfa {
+ c.MfaRequired()
+ }
+
if c.Err == nil && h.requireSystemAdmin {
c.SystemAdminRequired()
}
@@ -331,6 +340,39 @@ func (c *Context) UserRequired() {
}
}
+func (c *Context) MfaRequired() {
+ // Must be licensed for MFA and have it configured for enforcement
+ if !utils.IsLicensed || !*utils.License.Features.MFA || !*utils.Cfg.ServiceSettings.EnableMultifactorAuthentication || !*utils.Cfg.ServiceSettings.EnforceMultifactorAuthentication {
+ return
+ }
+
+ // OAuth integrations are excepted
+ if c.Session.IsOAuth {
+ return
+ }
+
+ if result := <-Srv.Store.User().Get(c.Session.UserId); result.Err != nil {
+ c.Err = model.NewLocAppError("", "api.context.session_expired.app_error", nil, "MfaRequired")
+ c.Err.StatusCode = http.StatusUnauthorized
+ return
+ } else {
+ user := result.Data.(*model.User)
+
+ // Only required for email and ldap accounts
+ if user.AuthService != "" &&
+ user.AuthService != model.USER_AUTH_SERVICE_EMAIL &&
+ user.AuthService != model.USER_AUTH_SERVICE_LDAP {
+ return
+ }
+
+ if !user.MfaActive {
+ c.Err = model.NewLocAppError("", "api.context.mfa_required.app_error", nil, "MfaRequired")
+ c.Err.StatusCode = http.StatusUnauthorized
+ return
+ }
+ }
+}
+
func (c *Context) SystemAdminRequired() {
if len(c.Session.UserId) == 0 {
c.Err = model.NewLocAppError("", "api.context.session_expired.app_error", nil, "SystemAdminRequired")