search

znuny / Znuny

Znuny/Znuny LTS is a fork of the ((OTRS)) Community Edition, one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management.
https://www.znuny.org
GNU General Public License v3.0
335 stars 82 forks source link

Bug - API user cannot login if 2FA is mandatory #437

Closed CERT-BA closed 2 weeks ago

CERT-BA commented 1 year ago

Environment

Expected behaviour

API users should be able to login even if 2FA is mandatory. Either by providing the 2FA token in the API login, intruducing api keys which allows an API user to login with or disabling 2FA for API users.

Actual behaviour

If 2FA is mandatory API users cannot login anymore - even if the token is provided within the login request.

How to reproduce

Steps to reproduce the behavior:

  1. Go to Admin - AuthTwoFactorModule::AllowEmptySecret  and deactivate the option
  2. Login via SOAP or REST API with an user with an empty 2FA secret

Additional information

We temporary fixed the problem by patching the file Kernel/GenericInterface/Operation/Common.pm with the attached patch file - after that the API user can provide the TwoFactorToken within the login request.

Screenshots

Common.pm.patch

rkaldung commented 1 year ago

Internal Issue 633

CallMeFlanby commented 9 months ago

Hi, I opened a PR (Pull 496) related to this. We already use this solution in our company and have to update every time this file. Please have a look on it. :)

rkaldung commented 9 months ago

@rkaldung Already done and I left you a comment ;-)

CallMeFlanby commented 9 months ago

@rkaldung Already done and I left you a comment ;-)

Thanks. New PR #502 .

CallMeFlanby commented 6 months ago

@rkaldung Already done and I left you a comment ;-)

Thanks. New PR #502 .

@rkaldung Could you please check the new PR?

rkaldung commented 2 weeks ago

The pull request is part of Znuny 7.0.18 and Znuny LTS 6.5.9. Thank you @CallMeFlanby