Throw error if 2FA is not enabled

directus · Nov 8, 2019 · 5b4b21a · 5b4b21a
1 parent 23cfac4
commit 5b4b21a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 11 deletions.
diff --git a/src/core/Directus/Authentication/Exception/TFAEnforcedException.php b/src/core/Directus/Authentication/Exception/TFAEnforcedException.php
@@ -7,9 +7,10 @@
 class TFAEnforcedException extends UnauthorizedException
 {
     const ERROR_CODE = 113;
+    const ERROR_MESSAGE = "2FA enforced but not activated for user";
 
     public function __construct()
     {
-        parent::__construct('2FA enforced but not activated for user');
+        parent::__construct(ERROR_MESSAGE);
     }
 }
diff --git a/src/core/Directus/Authentication/Provider.php b/src/core/Directus/Authentication/Provider.php
@@ -430,17 +430,14 @@ public function getUserProvider()
      *
      * @return string
      */
-    public function generateAuthToken(UserInterface $user, $needs2FA = false)
+    public function generateAuthToken(UserInterface $user)
     {
         $payload = [
             'id' => (int) $user->getId(),
             // 'group' => $user->getGroupId(),
             'exp' => $this->getNewExpirationTime()
         ];
 
-        if ($needs2FA == true) {
-            $payload['needs2FA'] = true;
-        }
 
         return $this->generateToken(JWTUtils::TYPE_AUTH, $payload);
     }

diff --git a/src/core/Directus/Services/AuthService.php b/src/core/Directus/Services/AuthService.php
@@ -10,6 +10,7 @@
 use Directus\Authentication\Exception\InvalidResetPasswordTokenException;
 use Directus\Authentication\Exception\UserNotFoundException;
 use Directus\Authentication\Exception\UserWithEmailNotFoundException;
+use Directus\Authentication\Exception\TFAEnforcedException;
 use Directus\Authentication\Sso\OneSocialProvider;
 use Directus\Authentication\Provider;
 use Directus\Authentication\Sso\Social;
@@ -73,16 +74,26 @@ public function loginWithCredentials($email, $password, $otp=null, $mode = null)
                 break;
             case DirectusUserSessionsTableGateway::TOKEN_JWT : 
             default : 
-                $needs2FA = $tfa_enforced && $user->get2FASecret() == null;
-                $token = $this->generateAuthToken($user,$needs2FA);
+                $token = $this->generateAuthToken($user);
+                $user = $user->toArray();
                 $responseData = [
                     'token' => $token,
-                    'user' => $user->toArray()
+                    'user' => $user
                 ];
+
         }
-        return [
-            'data' => $responseData
-        ];
+        $responseObject['data'] = $responseData;
+
+        if(!is_null($user)){
+            $needs2FA = $tfa_enforced && $user['2fa_secret'] == null;
+            if($needs2FA){
+                $responseObject['error'] = [
+                    'code' => TFAEnforcedException::ERROR_CODE,
+                    'message' => TFAEnforcedException::ERROR_MESSAGE
+                ];
+            }
+        }
+        return $responseObject;
     }
 
     /**