forked from platypush/platypush
🐛 [Auth] Fixed API token generation when 2FA is enabled.
It should suffice for the user to provide username+password when creating a new API token, even if 2FA is enabled. That's because user authentication has already occurred by the time that that check is made, and the user is already logged through a valid session or API token, so adding an 2FA code check isn't required. This also ensures that the UI doesn't break with a 401 on `/#settings?page=tokens&type=api` when creating a new token.
This commit is contained in:
parent
697a260026
commit
3e02304ac2
GPG key ID:
D90FBA7F76362774
1 changed files with 1 additions and 2 deletions
|
|
@ -107,7 +107,6 @@ def _create_token():
|
||||||
user = None
|
user = None
|
||||||
username = payload.get('username')
|
username = payload.get('username')
|
||||||
password = payload.get('password')
|
password = payload.get('password')
|
||||||
code = payload.get('code')
|
|
||||||
name = payload.get('name')
|
name = payload.get('name')
|
||||||
expiry_days = payload.get('expiry_days')
|
expiry_days = payload.get('expiry_days')
|
||||||
user_manager = UserManager()
|
user_manager = UserManager()
|
||||||
|
|
@ -115,7 +114,7 @@ def _create_token():
|
||||||
|
|
||||||
# Try and authenticate with the credentials passed in the JSON payload
|
# Try and authenticate with the credentials passed in the JSON payload
|
||||||
if username and password:
|
if username and password:
|
||||||
user = user_manager.authenticate_user(username, password, code=code)
|
user = user_manager.authenticate_user(username, password, skip_2fa=True)
|
||||||
if not isinstance(user, User):
|
if not isinstance(user, User):
|
||||||
return UserAuthStatus.INVALID_CREDENTIALS.to_response()
|
return UserAuthStatus.INVALID_CREDENTIALS.to_response()
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue