🐛 [Auth] Fixed API token generation when 2FA is enabled.

It should suffice for the user to provide username+password when creating a new API token, even if 2FA is enabled. That's because user authentication has already occurred by the time that that check is made, and the user is already logged through a valid session or API token, so adding an 2FA code check isn't required. This also ensures that the UI doesn't break with a 401 on `/#settings?page=tokens&type=api` when creating a new token.
2024-11-11 20:21:26 +01:00 · 2024-11-11 20:21:26 +01:00 · 3e02304ac2
commit 3e02304ac2
parent 697a260026
1 changed files with 1 additions and 2 deletions
--- a/platypush/backend/http/app/routes/auth.py
+++ b/platypush/backend/http/app/routes/auth.py
@ -107,7 +107,6 @@ def _create_token():
    user = None
    username = payload.get('username')
    password = payload.get('password')
-    code = payload.get('code')
    name = payload.get('name')
    expiry_days = payload.get('expiry_days')
    user_manager = UserManager()
@ -115,7 +114,7 @@ def _create_token():

    # Try and authenticate with the credentials passed in the JSON payload
    if username and password:
-        user = user_manager.authenticate_user(username, password, code=code)
+        user = user_manager.authenticate_user(username, password, skip_2fa=True)
        if not isinstance(user, User):
            return UserAuthStatus.INVALID_CREDENTIALS.to_response()