Commit 9d76c4c0 authored by o@immerda.ch's avatar o@immerda.ch
Browse files

use the reissue mechanism only with webauthn

We have a mechanism where we allow logins only with the second factor if
the last login was very recent (maybe this is not a good idea anyway).
But for most people the totp is more annoying to get than the password.
So let's use the reissue mechanism only with webauthn.
parent d1763f0d
Pipeline #8193 passed with stage
in 3 minutes
......@@ -93,13 +93,16 @@ class IApi < Sinatra::Base
allowed = IApiConf.acl.is_allowed_to_access?(email, saml[:plain_issuer])
end
if saml && allowed
token_age = api_token_age(email, parsed_body['token'])
valid = token_age < saml[:max_reissue_time]
if !valid && token_age < saml[:max_reissue_time_2fa]
if saml && allowed && valid_reissue_token(email)
valid = valid_reissue_token(email) < saml[:max_reissue_time]
valid_with_tfa =
valid_reissue_token(email) < saml[:max_reissue_time_2fa]
# if the user has webauthn and we are within the :max_reissue_time_2fa
# then we only ask for a challenge and not for the full password.
if !valid && valid_with_tfa
user = EmailUser.active_by_email(email)
if user.has_2fa?
if user.web_authn_credentials.present?
if AuthManager.auth_2fa(user,
totp: parsed_body['totp'],
webauthn: parsed_body['webauthn'])
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment