Web: allow to require password change and two-factor for admins

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 23:00:55 +03:00 · 2024-02-21 20:45:10 +01:00
parent 51ae2d7301
commit de089e51fd
18 changed files with 650 additions and 333 deletions
--- a/internal/httpd/api_mfa.go
+++ b/internal/httpd/api_mfa.go
@@ -122,23 +122,25 @@ func saveTOTPConfig(w http.ResponseWriter, r *http.Request) {
 		code := getNewRecoveryCode()
 		recoveryCodes = append(recoveryCodes, dataprovider.RecoveryCode{Secret: kms.NewPlainSecret(code)})
 	}
+	baseURL := webBaseClientPath
 	if claims.hasUserAudience() {
 		if err := saveUserTOTPConfig(claims.Username, r, recoveryCodes); err != nil {
 			sendAPIResponse(w, r, err, "", getRespStatus(err))
 			return
 		}
-		if claims.MustSetTwoFactorAuth {
-			// force logout
-			defer func() {
-				c := jwtTokenClaims{}
-				c.removeCookie(w, r, webBaseClientPath)
-			}()
-		}
 	} else {
 		if err := saveAdminTOTPConfig(claims.Username, r, recoveryCodes); err != nil {
 			sendAPIResponse(w, r, err, "", getRespStatus(err))
 			return
 		}
+		baseURL = webBasePath
+	}
+	if claims.MustSetTwoFactorAuth {
+		// force logout
+		defer func() {
+			c := jwtTokenClaims{}
+			c.removeCookie(w, r, baseURL)
+		}()
 	}

 	sendAPIResponse(w, r, nil, "TOTP configuration saved", http.StatusOK)
@@ -303,6 +305,9 @@ func saveAdminTOTPConfig(username string, r *http.Request, recoveryCodes []datap
 	if err != nil {
 		return util.NewValidationError(fmt.Sprintf("unable to decode JSON body: %v", err))
 	}
+	if !admin.Filters.TOTPConfig.Enabled && admin.Filters.RequireTwoFactor {
+		return util.NewValidationError("two-factor authentication must be enabled")
+	}
 	if admin.Filters.TOTPConfig.Enabled {
 		if admin.CountUnusedRecoveryCodes() < 5 && admin.Filters.TOTPConfig.Enabled {
 			admin.Filters.RecoveryCodes = recoveryCodes