markstuart
commented
7 months ago Hmm, this actually breaks password changing from the user profile page, will need to look further at that.
Closed markstuart closed 7 months ago
markstuart
commented
7 months ago Hmm, this actually breaks password changing from the user profile page, will need to look further at that.
markstuart
commented
7 months ago Hmm, this actually breaks password changing from the user profile page, will need to look further at that.
Fixed in b0b7cb5
markstuart
commented
7 months ago @maede224 please feel free to take a look and/or test this update please, fixes for #69 and related issues found during investigation.
The MFA implementation leverages an ajax form submit to add the two step user/pass then MFA code form structure into CKAN.
Once that ajax response from the /api/login succeeds the login form does a normal form POST submit to the overridden IAuthenticator implementation, which rechecks the user/pass and MFA, and returns the result of the default CKAN authenticator if everything succeeds.
We were returning "None" in the case that MFA fails, however the IAuthenticator implementation in CKAN core falls back to user/pass auth if the plugin returns None, so this meant that the form was able to be submitted with no MFA and as long as the user/pass was correct the user could still log in.
This required malicious intent, either through man-in-the-middle to alter the response of the /api/login call, or crafting a form submit request with valid user/pass and no MFA to /user/login.