search

humhub / rest

HumHub Rest API Module
24 stars 23 forks source link

Users having "Force password change upon next login" cannot be impersonated #162

Closed marc-farre closed 4 months ago

marc-farre commented 7 months ago

Steps to reproduce:

  1. In the "REST Configuration", in the "Bearer Auth" tab, add an Access Token for a specific user
  2. Edit this user, and in the "Password" tab, enter a new password and check "Force password change upon next login"
  3. Try to read a post:
curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer xxxxxxxxxxxxxxxxxx' https://my-humhub.com/api/v1/post/1

Returns null instead of the post.

Original discussion: https://community.humhub.com/content/perma?id=277066

ArchBlood commented 7 months ago

I'm not sure just adding this would help fix the issue as I'm seeing authByUserAndPassword() mentions only the $username and $password and makes no checks for mustChangePassword().

https://github.com/humhub/rest/blob/0cda082cda7a360b40db452d0a83a2a9b188f5e5/controllers/auth/AuthController.php#L38-L70

// Check if password change is required
if ($user->mustChangePassword()) {
    return $this->returnError(401, 'Password change required');
}

https://github.com/humhub/rest/blob/0cda082cda7a360b40db452d0a83a2a9b188f5e5/controllers/auth/AuthController.php#L73-L82

luke- commented 6 months ago

@gevorgmansuryan Can you please take a look into this?

gevorgmansuryan commented 6 months ago

@luke- yeah, there is a bug related with impersonated user in rest. But steps described in @marc-farre 's comment isn't related with impersonate, bearer tokens created from "Bearer Auth" tab are just like regular login, and should work like regular login. I'll fix it for /auth/impersonate only. https://marketplace.humhub.com/module/rest/docs/html/auth.html#tag/User/paths/~1auth~1impersonate/get