|
|
@ -1,10 +1,12 @@ |
|
|
|
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
|
|
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
|
|
|
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a MIT-style
|
|
|
|
// Use of this source code is governed by a MIT-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
|
|
package context |
|
|
|
package context |
|
|
|
|
|
|
|
|
|
|
|
import ( |
|
|
|
import ( |
|
|
|
|
|
|
|
"code.gitea.io/gitea/models" |
|
|
|
"code.gitea.io/gitea/modules/auth" |
|
|
|
"code.gitea.io/gitea/modules/auth" |
|
|
|
"code.gitea.io/gitea/modules/log" |
|
|
|
"code.gitea.io/gitea/modules/log" |
|
|
|
"code.gitea.io/gitea/modules/setting" |
|
|
|
"code.gitea.io/gitea/modules/setting" |
|
|
@ -88,6 +90,28 @@ func Toggle(options *ToggleOptions) macaron.Handler { |
|
|
|
ctx.HTML(200, "user/auth/activate") |
|
|
|
ctx.HTML(200, "user/auth/activate") |
|
|
|
return |
|
|
|
return |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
if ctx.IsSigned && auth.IsAPIPath(ctx.Req.URL.Path) && ctx.IsBasicAuth { |
|
|
|
|
|
|
|
twofa, err := models.GetTwoFactorByUID(ctx.User.ID) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
if models.IsErrTwoFactorNotEnrolled(err) { |
|
|
|
|
|
|
|
return // No 2FA enrollment for this user
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
ctx.Error(500) |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
otpHeader := ctx.Req.Header.Get("X-Gitea-OTP") |
|
|
|
|
|
|
|
ok, err := twofa.ValidateTOTP(otpHeader) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
ctx.Error(500) |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if !ok { |
|
|
|
|
|
|
|
ctx.JSON(403, map[string]string{ |
|
|
|
|
|
|
|
"message": "Only signed in user is allowed to call APIs.", |
|
|
|
|
|
|
|
}) |
|
|
|
|
|
|
|
return |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// Redirect to log in page if auto-signin info is provided and has not signed in.
|
|
|
|
// Redirect to log in page if auto-signin info is provided and has not signed in.
|
|
|
|