From 1f45d1e1303c5843ceeb473eef343b82491bd706 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Wed, 2 Mar 2022 01:24:31 +0100
Subject: [PATCH] Accounts with WebAuthn only (no TOTP) now exist ... fix code
to handle that case (#18897)
---
models/user/list.go | 26 ++++++++++++++++++++------
routers/web/admin/users.go | 35 +++++++++++++++++++++++++----------
2 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/models/user/list.go b/models/user/list.go
index 13138b3e50..06ec511375 100644
--- a/models/user/list.go
+++ b/models/user/list.go
@@ -30,13 +30,19 @@ func (users UserList) GetTwoFaStatus() map[int64]bool {
for _, user := range users {
results[user.ID] = false // Set default to false
}
- tokenMaps, err := users.loadTwoFactorStatus(db.GetEngine(db.DefaultContext))
- if err == nil {
+
+ if tokenMaps, err := users.loadTwoFactorStatus(db.GetEngine(db.DefaultContext)); err == nil {
for _, token := range tokenMaps {
results[token.UID] = true
}
}
+ if ids, err := users.userIDsWithWebAuthn(db.GetEngine(db.DefaultContext)); err == nil {
+ for _, id := range ids {
+ results[id] = true
+ }
+ }
+
return results
}
@@ -47,15 +53,23 @@ func (users UserList) loadTwoFactorStatus(e db.Engine) (map[int64]*auth.TwoFacto
userIDs := users.GetUserIDs()
tokenMaps := make(map[int64]*auth.TwoFactor, len(userIDs))
- err := e.
- In("uid", userIDs).
- Find(&tokenMaps)
- if err != nil {
+ if err := e.In("uid", userIDs).Find(&tokenMaps); err != nil {
return nil, fmt.Errorf("find two factor: %v", err)
}
return tokenMaps, nil
}
+func (users UserList) userIDsWithWebAuthn(e db.Engine) ([]int64, error) {
+ if len(users) == 0 {
+ return nil, nil
+ }
+ ids := make([]int64, 0, len(users))
+ if err := e.Table(new(auth.WebAuthnCredential)).In("user_id", users.GetUserIDs()).Select("user_id").Distinct("user_id").Find(&ids); err != nil {
+ return nil, fmt.Errorf("find two factor: %v", err)
+ }
+ return ids, nil
+}
+
// GetUsersByIDs returns all resolved users from a list of Ids.
func GetUsersByIDs(ids []int64) (UserList, error) {
ous := make([]*User, 0, len(ids))
diff --git a/routers/web/admin/users.go b/routers/web/admin/users.go
index 5cb25d8672..4358db89ba 100644
--- a/routers/web/admin/users.go
+++ b/routers/web/admin/users.go
@@ -217,15 +217,17 @@ func prepareUserInfo(ctx *context.Context) *user_model.User {
}
ctx.Data["Sources"] = sources
- ctx.Data["TwoFactorEnabled"] = true
- _, err = auth.GetTwoFactorByUID(u.ID)
+ hasTOTP, err := auth.HasTwoFactorByUID(u.ID)
if err != nil {
- if !auth.IsErrTwoFactorNotEnrolled(err) {
- ctx.ServerError("IsErrTwoFactorNotEnrolled", err)
- return nil
- }
- ctx.Data["TwoFactorEnabled"] = false
+ ctx.ServerError("auth.HasTwoFactorByUID", err)
+ return nil
}
+ hasWebAuthn, err := auth.HasWebAuthnRegistrationsByUID(u.ID)
+ if err != nil {
+ ctx.ServerError("auth.HasWebAuthnRegistrationsByUID", err)
+ return nil
+ }
+ ctx.Data["TwoFactorEnabled"] = hasTOTP || hasWebAuthn
return u
}
@@ -327,14 +329,27 @@ func EditUserPost(ctx *context.Context) {
if form.Reset2FA {
tf, err := auth.GetTwoFactorByUID(u.ID)
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
- ctx.ServerError("GetTwoFactorByUID", err)
+ ctx.ServerError("auth.GetTwoFactorByUID", err)
return
+ } else if tf != nil {
+ if err := auth.DeleteTwoFactorByID(tf.ID, u.ID); err != nil {
+ ctx.ServerError("auth.DeleteTwoFactorByID", err)
+ return
+ }
}
- if err = auth.DeleteTwoFactorByID(tf.ID, u.ID); err != nil {
- ctx.ServerError("DeleteTwoFactorByID", err)
+ wn, err := auth.GetWebAuthnCredentialsByUID(u.ID)
+ if err != nil {
+ ctx.ServerError("auth.GetTwoFactorByUID", err)
return
}
+ for _, cred := range wn {
+ if _, err := auth.DeleteCredential(cred.ID, u.ID); err != nil {
+ ctx.ServerError("auth.DeleteCredential", err)
+ return
+ }
+ }
+
}
u.LoginName = form.LoginName