From 3f0d9484b78a2d4906090382ffd3edd3dde1b5b6 Mon Sep 17 00:00:00 2001 From: jirijanata Date: Wed, 5 Jul 2023 19:15:18 +0200 Subject: [PATCH] If is user using 2FA the basic URL user and pass method fails. https://github.com/Ylianst/MeshCentral/issues/4870 If user has 2FA enabled and tries to login with URL parameters then the login should fail. --- webserver.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/webserver.js b/webserver.js index f5025ad0..8172d211 100644 --- a/webserver.js +++ b/webserver.js @@ -2813,7 +2813,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF } else if (req.query.user && req.query.pass) { // User credentials are being passed in the URL. WARNING: Putting credentials in a URL is bad security... but people are requesting this option. obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) { - if ((userid != null) && (err == null)) { + // 2FA is not supported in URL authentication method. If user has 2FA enabled, this login method fails. + var user = obj.users[userid]; + if (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true) { + handleRootRequestEx(req, res, domain, direct); + } else if ((userid != null) && (err == null)) { // Login success parent.debug('web', 'handleRootRequest: user/pass in URL auth ok.'); req.session.userid = userid;