Merge pull request from GHSA-2crp-q9pc-457j

* ensure API login only works if mfa is not required * add migration to log out users * add migration to clear users
2024-08-30 18:33:04 +00:00 · 2024-05-24 13:24:24 +02:00 · 2024-05-24 13:24:24 +02:00 · 0e1b78d88b
commit 0e1b78d88b
parent ed1717942d
2 changed files with 45 additions and 2 deletions
--- a/src/backend/InvenTree/users/api.py
+++ b/src/backend/InvenTree/users/api.py
@ -3,11 +3,12 @@
 import datetime
 import logging

-from django.contrib.auth import get_user, login
+from django.contrib.auth import get_user, login, logout
 from django.contrib.auth.models import Group, User
 from django.urls import include, path, re_path
 from django.views.generic.base import RedirectView

+from allauth.account.adapter import get_adapter
 from dj_rest_auth.views import LoginView, LogoutView
 from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_view
 from rest_framework import exceptions, permissions
@ -17,6 +18,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView

 import InvenTree.helpers
+from common.models import InvenTreeSetting
 from InvenTree.filters import SEARCH_ORDER_FILTER
 from InvenTree.mixins import (
    ListAPI,
@ -216,7 +218,22 @@ class GroupList(ListCreateAPI):
 class Login(LoginView):
    """API view for logging in via API."""

-    ...
+    def process_login(self):
+        """Process the login request, ensure that MFA is enforced if required."""
+        # Normal login process
+        ret = super().process_login()
+
+        # Now check if MFA is enforced
+        user = self.request.user
+        adapter = get_adapter(self.request)
+
+        # User requires 2FA or MFA is enforced globally - no logins via API
+        if adapter.has_2fa_enabled(user) or InvenTreeSetting.get_setting(
+            'LOGIN_ENFORCE_MFA'
+        ):
+            logout(self.request)
+            raise exceptions.PermissionDenied('MFA required for this user')
+        return ret


@extend_schema_view(
--- a/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py
+++ b/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py
@ -0,0 +1,26 @@
+# Generated by Django 4.2.12 on 2024-05-23 16:40
+
+from importlib import import_module
+
+from django.conf import settings
+from django.db import migrations
+
+
+def clear_sessions(apps, schema_editor):
+    """Clear all user sessions."""
+
+    engine = import_module(settings.SESSION_ENGINE)
+    engine.SessionStore.clear_expired()
+    print('Cleared all user sessions to deal with GHSA-2crp-q9pc-457j')
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("users", "0010_alter_apitoken_key"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            clear_sessions, reverse_code=migrations.RunPython.noop,
+        )
+    ]