Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-08-15 19:50:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

If is user using 2FA the basic URL user and pass method fails.

Browse Source 
https://github.com/Ylianst/MeshCentral/issues/4870

If user has 2FA enabled and tries to login with URL parameters then the login should fail.
This commit is contained in:
jirijanata 2023-07-05 19:15:18 +02:00 committed by GitHub
parent 53e2c5cf69
commit 3f0d9484b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
webserver.js
View File

@ -2813,7 +2813,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
} else if (req.query.user && req.query.pass) {
// User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option.
obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {
if ((userid != null) && (err == null)) {
// 2FA is not supported in URL authentication method. If user has 2FA enabled, this login method fails.
var user = obj.users[userid];
if (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true) {
handleRootRequestEx(req, res, domain, direct);
} else if ((userid != null) && (err == null)) {
// Login success
parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.');
req.session.userid = userid;