Feature #35001 ยป 35001.patch
| app/controllers/application_controller.rb | ||
|---|---|---|
| 129 | 129 |
elsif /\ABasic /i.match?(request.authorization.to_s) |
| 130 | 130 |
# HTTP Basic, either username/password or API key/random |
| 131 | 131 |
authenticate_with_http_basic do |username, password| |
| 132 |
user = User.try_to_login(username, password) || User.find_by_api_key(username) |
|
| 132 |
user = User.try_to_login(username, password) |
|
| 133 |
# Don't allow using username/password when two-factor auth is active |
|
| 134 |
if user&.twofa_active? |
|
| 135 |
render_error :message => 'HTTP Basic authentication is not allowed. Use API key instead', :status => 401 |
|
| 136 |
return |
|
| 137 |
end |
|
| 138 | ||
| 139 |
user ||= User.find_by_api_key(username) |
|
| 133 | 140 |
end |
| 134 | 141 |
if user && user.must_change_password? |
| 135 | 142 |
render_error :message => 'You must change your password', :status => 403 |
| test/integration/api_test/authentication_test.rb | ||
|---|---|---|
| 48 | 48 |
assert_response 401 |
| 49 | 49 |
end |
| 50 | 50 | |
| 51 |
def test_api_should_deny_http_basic_auth_if_twofa_is_active |
|
| 52 |
user = User.generate! do |user| |
|
| 53 |
user.password = 'my_password' |
|
| 54 |
user.update(twofa_scheme: 'totp') |
|
| 55 |
end |
|
| 56 |
get '/users/current.xml', :headers => credentials(user.login, 'my_password') |
|
| 57 |
assert_response 401 |
|
| 58 |
end |
|
| 59 | ||
| 51 | 60 |
def test_api_should_accept_http_basic_auth_using_api_key |
| 52 | 61 |
user = User.generate! |
| 53 | 62 |
token = Token.create!(:user => user, :action => 'api') |