docker login seems to succeed with basic auth even when 2FA is enabled
#27819
Comments
|
How do you use |
|
Then all other APIs are also similarly impacted. Enabling 2FA should mean that only PAT is available for auth. And there should be documentation on how to issue the PAT so that it's not overly broad in its permissions, at least for the common use cases such as the Docker registry pull/push. |
|
IOW a login/password is like a PAT that has every possible permission for that user and cannot be restricted. That is problematic IMO |
lunny
pushed a commit
that referenced
this issue
Nov 6, 2023
Fixes #27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this issue
Nov 6, 2023
Fixes go-gitea#27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
KN4CK3R
added a commit
to KN4CK3R/gitea
that referenced
this issue
Nov 6, 2023
Fixes go-gitea#27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
KN4CK3R
added a commit
that referenced
this issue
Nov 6, 2023
Backport #27915 by @KN4CK3R Fixes #27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
fuxiaohei
pushed a commit
to fuxiaohei/gitea
that referenced
this issue
Jan 17, 2024
Fixes go-gitea#27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
silverwind
pushed a commit
to silverwind/gitea
that referenced
this issue
Feb 20, 2024
Fixes go-gitea#27819 We have support for two factor logins with the normal web login and with basic auth. For basic auth the two factor check was implemented at three different places and you need to know that this check is necessary. This PR moves the check into the basic auth itself.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
docker loginseems to be succeeding with "basic" auth even though 2FA is enabled on the account. I was a bit surprised by that. Notably, this also reproduces on the Gitea demo site.I then started looking into the documentation on how to create a PAT here: https://docs.gitea.com/development/api-usage#authentication. This does not seem to work either. The OTP-less first suggestion results in
{"message":"Only signed in user is allowed to call APIs."}, the one with OTP results in[](empty JSON list).Finally, going into the UI as the instructions suggest is not helpful either, since it is not at all clear what permissions such a PAT would need for read-only and read-write access.
So there seem to be several issues here:
docker loginshould not succeed if account has 2FA enabled on itGitea Version
1.20.3
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Docker compose using your downloads. But this reproduces on try.gitea.io as well.
Database
None
The text was updated successfully, but these errors were encountered: