core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon owncloud

Add login.token_auth_enforced parameter to disallow password based logins

Open dschmidt opened this issue 2 years ago • 9 comments

… completely.

Description

This prevents the login formular from rendering and sessions from being created even for handcrafted requests (even if csrf protection is disabled).

Related Issue

  • Fixes https://github.com/owncloud/core/issues/39484

Motivation and Context

As described in the original ticket, I'm paranoid and want to disable password based logins after enabling two factor authentication on my personal ownCloud instance.

What do you think? Especially of the parameter name? token_auth_enforced is used for everything but the browser login, login.alternatives is used for adding the buttons - so that namespace and the analogous parameter name seemed to kinda make sense to me, but I have no strong opinion about this.

How Has This Been Tested?

In my regular development setup :)

Screenshots (if appropriate):

Screenshot_20211116_220342

With the customer portal it obviously doesn't make sense, because you still need to login after registering - but I the button is analogous to the OIDC (e.g.) login button.

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Database schema changes (next release will require increase of minor version instead of patch)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)
  • [ ] Technical debt
  • [ ] Tests only (no source changes)

Checklist:

  • [x] Code changes
  • [ ] Unit tests added
  • [ ] Acceptance tests added
  • [ ] Documentation ticket raised:
  • [ ] Changelog item, see TEMPLATE

dschmidt avatar Nov 16 '21 21:11 dschmidt

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

update-docs[bot] avatar Nov 16 '21 21:11 update-docs[bot]

https://github.com/owncloud/core/tree/work/login.token_auth_enforced This branch is 1 commit ahead, 1074 commits behind master. Please start from a current core master branch.

phil-davis avatar Nov 17 '21 09:11 phil-davis

Rebased

dschmidt avatar Nov 17 '21 10:11 dschmidt

This is docs relevant, please file a docs issue when close to merge.

mmattel avatar Dec 05 '21 10:12 mmattel

Ping?

dschmidt avatar Feb 11 '22 10:02 dschmidt

Rebased.

dschmidt avatar Mar 04 '22 14:03 dschmidt

https://drone.owncloud.com/owncloud/core/34822/10/7

There were 13 failures:

1) Tests\Core\Controller\LoginControllerTest::testResponseForNotLoggedinUser
Failed asserting that two objects are equal.
--- Expected
+++ Actual
@@ @@
         'alt_login' => Array ()
         'rememberLoginAllowed' => false
         'rememberLoginState' => 0
-        'strictLoginEnforced' => false
+        'strictLoginEnforced' => null
+        'login.token_auth_enforced' => null
     )
     'renderAs' => 'guest'
     'appName' => 'core'
...

phil-davis avatar Mar 08 '22 12:03 phil-davis

Does anyone have an opinion or comment about this?

Maybe @micbar @JanAckermann @JammingBen ?

phil-davis avatar Mar 08 '22 13:03 phil-davis

@DeepDiver1975 maybe you can have a look on this

mmattel avatar Jun 17 '22 13:06 mmattel