rocketchat-ruby icon indicating copy to clipboard operation
rocketchat-ruby copied to clipboard

Published 20 hours ago verified publisher icon abrom

two factor authentication login

Open xu4wang opened this issue 5 years ago • 6 comments

My rocket chat server is always asking for an OTP from my email during the log in process.

How should I use the authentication API

https://github.com/abrom/rocketchat-ruby/blob/master/docs/authentication.md#login

for log in?

BR,Austin

xu4wang avatar Apr 26 '20 13:04 xu4wang

Hi @xu4wang,

Good question, but not something I have knowledge of. Rocket.Chat documentation talks about this but I use a different method so it isn't something I've needed to worry about:

https://rocket.chat/docs/developer-guides/two-factor/rest-api/

and

https://rocket.chat/docs/developer-guides/two-factor/

In short it looks like it is expecting two extra headers. x-2fa-code and x-2fa-method.

I see two options:

  1. Per the documentation, you can use a Personal Access Token. This of course does put a lot of trust in the token and where it's stored/who has access to it. It would be used in place of the user's password.

  2. You're more than welcome to submit a pull request to add support for the fore-mentioned headers in the server login method. I suspect it'd look something like:

    def login(username, password, options = {})
      response = request_json(
        '/api/v1/login',
        method: :post,
        body: {
          username: username,
          password: password
        },
        headers: otp_headers(options)
      )
      Session.new self, Token.new(response['data'])
    end

    private

    def otp_headers(options)
      headers = {}
      headers['x-2fa-code'] = options[:two_factor_code] if options[:two_factor_code]
      headers['x-2fa-method'] = options[:two_factor_method] if options[:two_factor_method]
      headers
    end

Or something like that. But it'd also need some news tests to validate it, and it'd be good to have it validated against a real Rocket.Chat instance.

abrom avatar Apr 26 '20 13:04 abrom

thank @abrom for quick update and the candidate solutions. I will evaluate the two options later.

xu4wang avatar Apr 27 '20 05:04 xu4wang

Do you have any update on this? This makes this gem pretty useless as TOTP is not disableable for new users. It is for admin tho with this ENV Accounts_TwoFactorAuthentication_Enforce_Password_Fallback set to false. So we can only login as admin right now.

julienchabanon avatar Jun 09 '21 22:06 julienchabanon

Not since my last reply. I listed two different ways that you can authenticate against a system with 2 factor.

From your comment it would seem likely you'd want the second option. I've listed the code that should allow for 2 factor. If you are able to test that it works, and can put together a PR to include it in the gem, I'd be more than happy to take a look

abrom avatar Jun 10 '21 04:06 abrom

Any update on testing the proposed change @julienchabanon or @xu4wang ?

abrom avatar Aug 30 '21 13:08 abrom

Per the documentation, you can use a Personal Access Token. This of course does put a lot of trust in the token and where it's stored/who has access to it. It would be used in place of the user's password.

If someone will need solution - you could create personal token in rocket chat and use it to get session

options = {}
server = RocketChat::Server.new(url, options)
token = RocketChat::Token.new(authToken: 'personal_access_token', userId: 'user_id')
session = RocketChat::Session.new(server, token)

MrRTi avatar Mar 29 '23 15:03 MrRTi