Added option to remove OTP 2FA.

2024-08-15 19:50:44 +03:00 · 2021-12-11 16:08:26 -08:00 · 2021-12-11 16:08:26 -08:00 · db3659d665
commit db3659d665
parent cfeab35332
5 changed files with 11 additions and 2 deletions
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@ -414,6 +414,7 @@
              "email2factor": { "type": "boolean", "default": true, "description": "Set to false to disable email 2FA." },
              "sms2factor": { "type": "boolean", "default": true, "description": "Set to false to disable SMS 2FA." },
              "push2factor": { "type": "boolean", "default": true, "description": "Set to false to disable push notification 2FA." },
+              "otp2factor": { "type": "boolean", "default": true, "description": "Set to false to disable one-time-password 2FA." },
              "force2factor": { "type": "boolean", "default": false, "description": "Requires that all accounts setup 2FA." },
              "skip2factor": { "type": "string", "description": "IP addresses where 2FA login is skipped, for example: 127.0.0.1,192.168.2.0/24" },
              "oldPasswordBan": { "type": "integer", "description": "Number of old passwords the server should remember and not allow the user to switch back to." },
--- a/meshuser.js
+++ b/meshuser.js
@ -3493,6 +3493,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    // Do not allow this command when logged in using a login token
                    if (req.session.loginToken != null) break;

+                    // Check of OTP 2FA is allowed
+                    if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break;
+
                    if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.

                    // Check if 2-step login is supported
@ -3515,6 +3518,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    // Do not allow this command when logged in using a login token
                    if (req.session.loginToken != null) break;

+                    // Check of OTP 2FA is allowed
+                    if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break;
+
                    if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.

                    // Check if 2-step login is supported
--- a/views/default-mobile.handlebars
+++ b/views/default-mobile.handlebars
@ -1371,8 +1371,8 @@
            QV('p2AccountSecurity', ((features & 4) == 0) && (serverinfo.domainauth == false) && ((features & 4096) != 0) && (accountSettingsLocked == false)); // Hide Account Security if in single user mode or domain authentication, 2 factor auth not supported.
            QV('p2AccountImage', !accountSettingsLocked);
            QV('verifyEmailId', (userinfo.emailVerified !== true) && (userinfo.email != null) && (serverinfo.emailcheck == true));
-            QV('manageAuthApp', features & 4096);
-            QV('manageOtp', ((features & 4096) != 0) && ((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0)));
+            QV('manageAuthApp', (features & 4096) && ((userinfo.otpsecret == 1) || ((features2 & 0x00020000) == 0)));
+            QV('manageOtp', (features & 4096) && ((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0)));
            QV('authPhoneNumberCheck', (userinfo.phone != null));
            QV('authEmailSetupCheck', (userinfo.otpekey == 1) && (userinfo.email != null) && (userinfo.emailVerified == true));
            QV('authAppSetupCheck', userinfo.otpsecret == 1);
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -2120,6 +2120,7 @@
            QV('authPhoneNumberCheck', (userinfo.phone != null));
            QV('authEmailSetupCheck', (userinfo.otpekey == 1) && (userinfo.email != null) && (userinfo.emailVerified == true));
            QV('authAppSetupCheck', userinfo.otpsecret == 1);
+            QV('manageAuthApp', (userinfo.otpsecret == 1) || ((features2 & 0x00020000) == 0));
            QV('authKeySetupCheck', userinfo.otphkeys > 0);
            QV('authPushAuthDevCheck', (userinfo.otpdev > 0) && ((features2 & 0x40) != 0));
            QV('authCodesSetupCheck', userinfo.otpkeys > 0);
--- a/webserver.js
+++ b/webserver.js
@ -2848,6 +2848,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
        if (domain.mailserver != null) { features2 += 0x00004000; } // Indicates email server is active
        if (domain.devicesearchbarserverandclientname) { features2 += 0x00008000; } // Search bar will find both server name and client name
        if (domain.ipkvm) { features2 += 0x00010000; } // Indicates support for IP KVM device groups
+        if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) { features2 += 0x00020000; } // Indicates support for OTP 2FA is disabled
        return { features: features, features2: features2 };
    }