search

obiba / mica2

Mica is a web portal for epidemiological study consortia.
http://www.obiba.org/pages/products/mica/
GNU General Public License v3.0
10 stars 15 forks source link

2FA is not enforced when requesting API - Python client #4456

Open thiagomdiniz opened 2 months ago

thiagomdiniz commented 2 months ago

This issue is unique

Version information

5.4.2

Expected behavior

When an Agate user with access to Mica makes a request to the Mica API (using Python client), and the 2FA configuration is enabled (Authenticator app or code sent by email), when using the --otp parameter it is expected to receive the 2FA code by email and then type it into the command line so that the API validates access.

Actual behavior

When executing the API call, the user only receives the email with the 2FA code if the --otp parameter is not passed. If the user pass the --otp parameter, the prompt requests the 2FA code without sending the email.
And when the email is sent, it is sent 3 times:

image

Agate logs:

2024-08-14T20:58:38.114Z  INFO 20 --- [p1899272141-183] o.o.a.web.rest.ticket.TicketsResource    : Successful login for user 'user' from application 'mica'
2024-08-14T20:58:38.187Z  INFO 20 --- [p1899272141-183] o.o.a.web.rest.ticket.TicketsResource    : Successful login for user 'user' from application 'mica'
2024-08-14T20:58:38.232Z  INFO 20 --- [p1899272141-183] o.o.a.web.rest.ticket.TicketsResource    : Successful login for user 'user' from application 'mica'

Mica logs:

2024-08-14 20:59:16.827  WARN 19 --- [        task-45] o.o.m.s.realm.MicaAuthorizingRealm       : Invalidating authorization cache
2024-08-14 20:59:16.841  INFO 19 --- [tp902186677-129] o.o.mica.core.service.AgateRestService   : Connecting to Agate: http://agate:8081
2024-08-14 20:59:16.901  WARN 19 --- [        task-46] o.o.m.s.realm.MicaAuthorizingRealm       : Invalidating authorization cache
2024-08-14 20:59:16.950  WARN 19 --- [        task-39] o.o.m.s.realm.MicaAuthorizingRealm       : Invalidating authorization cache

And when using the --otp parameter, any code entered is accepted and the request is processed.
For example, I randomly typed 23 and the request was processed:

$ mica rest --mica http://mica:8082 -u user -p password -a application/json --json --otp /data-access-requests
Enter 6-digits code: 23
[
  {
    "actions": [
      "VIEW",
      "EDIT",
      "DELETE",
      "EDIT_STATUS"
    ],
    "applicant": "user",
    "archived": false,
...

Thanks in advance!

Reproduction steps

As described in the Actual behavior...

$ mica rest --mica http://mica:8082 -u user -p password -a application/json --json /data-access-requests

$ mica rest --mica http://mica:8082 -u user -p password -a application/json --json --otp /data-access-requests

Operating System (OS)

Linux

Browser

Google Chrome

Contact info