MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added option to remove OTP 2FA.

This commit is contained in:
Ylian Saint-Hilaire 2021-12-11 16:08:26 -08:00
parent cfeab35332
commit db3659d665
5 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
meshcentral-config-schema.json
View File

@ -414,6 +414,7 @@
"email2factor": { "type": "boolean", "default": true, "description": "Set to false to disable email 2FA." },
"sms2factor": { "type": "boolean", "default": true, "description": "Set to false to disable SMS 2FA." },
"push2factor": { "type": "boolean", "default": true, "description": "Set to false to disable push notification 2FA." },
"otp2factor": { "type": "boolean", "default": true, "description": "Set to false to disable one-time-password 2FA." },
"force2factor": { "type": "boolean", "default": false, "description": "Requires that all accounts setup 2FA." },
"skip2factor": { "type": "string", "description": "IP addresses where 2FA login is skipped, for example: 127.0.0.1,192.168.2.0/24" },
"oldPasswordBan": { "type": "integer", "description": "Number of old passwords the server should remember and not allow the user to switch back to." },

6
meshuser.js
View File

@ -3493,6 +3493,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Do not allow this command when logged in using a login token
if (req.session.loginToken != null) break;
// Check of OTP 2FA is allowed
if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break;
if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.
// Check if 2-step login is supported
@ -3515,6 +3518,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Do not allow this command when logged in using a login token
if (req.session.loginToken != null) break;
// Check of OTP 2FA is allowed
if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) break;
if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.
// Check if 2-step login is supported

4
views/default-mobile.handlebars
View File

@ -1371,8 +1371,8 @@
QV('p2AccountSecurity', ((features & 4) == 0) && (serverinfo.domainauth == false) && ((features & 4096) != 0) && (accountSettingsLocked == false)); // Hide Account Security if in single user mode or domain authentication, 2 factor auth not supported.
QV('p2AccountImage', !accountSettingsLocked);
QV('verifyEmailId', (userinfo.emailVerified !== true) && (userinfo.email != null) && (serverinfo.emailcheck == true));
QV('manageAuthApp', features & 4096);
QV('manageOtp', ((features & 4096) != 0) && ((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0)));
QV('manageAuthApp', (features & 4096) && ((userinfo.otpsecret == 1) || ((features2 & 0x00020000) == 0)));
QV('manageOtp', (features & 4096) && ((userinfo.otpsecret == 1) || (userinfo.otphkeys > 0)));
QV('authPhoneNumberCheck', (userinfo.phone != null));
QV('authEmailSetupCheck', (userinfo.otpekey == 1) && (userinfo.email != null) && (userinfo.emailVerified == true));
QV('authAppSetupCheck', userinfo.otpsecret == 1);

1
views/default.handlebars
View File

@ -2120,6 +2120,7 @@
QV('authPhoneNumberCheck', (userinfo.phone != null));
QV('authEmailSetupCheck', (userinfo.otpekey == 1) && (userinfo.email != null) && (userinfo.emailVerified == true));
QV('authAppSetupCheck', userinfo.otpsecret == 1);
QV('manageAuthApp', (userinfo.otpsecret == 1) || ((features2 & 0x00020000) == 0));
QV('authKeySetupCheck', userinfo.otphkeys > 0);
QV('authPushAuthDevCheck', (userinfo.otpdev > 0) && ((features2 & 0x40) != 0));
QV('authCodesSetupCheck', userinfo.otpkeys > 0);

1
webserver.js
View File

@ -2848,6 +2848,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (domain.mailserver != null) { features2 += 0x00004000; } // Indicates email server is active
if (domain.devicesearchbarserverandclientname) { features2 += 0x00008000; } // Search bar will find both server name and client name
if (domain.ipkvm) { features2 += 0x00010000; } // Indicates support for IP KVM device groups
if ((domain.passwordrequirements) && (domain.passwordrequirements.otp2factor == false)) { features2 += 0x00020000; } // Indicates support for OTP 2FA is disabled
return { features: features, features2: features2 };
}