Seems like when press the Sign in button of the webadmin login page, it will POST /api/oauth and /api/token with content type text/plain;charset=UTF-8
This behavior is not allowed by Modsecurity rule 920420, which restricts the content types allowed to be sent to the server as POST and ultimately results in a 403 Forbidden being returned, which appears to be how Webadmin detects the missing TOTP code and ultimately results in the TOTP code page being displayed. https://github.com/stalwartlabs/mail-server/issues/722#issuecomment-2312719397
Given that Modsecurity is used in many WAF programs, perhaps this behavior should be considered a bug and fixed? I'm also not sure how many POST requests are actually sent as text/plain, What do you think?
Relate to https://github.com/stalwartlabs/mail-server/issues/722
Seems like when press the Sign in button of the webadmin login page, it will POST
/api/oauthand/api/tokenwith content typetext/plain;charset=UTF-8This behavior is not allowed by Modsecurity rule 920420, which restricts the content types allowed to be sent to the server as POST and ultimately results in a 403 Forbidden being returned, which appears to be how Webadmin detects the missing TOTP code and ultimately results in the TOTP code page being displayed. https://github.com/stalwartlabs/mail-server/issues/722#issuecomment-2312719397
Given that Modsecurity is used in many WAF programs, perhaps this behavior should be considered a bug and fixed? I'm also not sure how many POST requests are actually sent as
text/plain, What do you think?