Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Magento rest API can still be accessed without 2FA even after enabling 2FA. #35

Closed
SimonPrins opened this issue Aug 8, 2019 · 1 comment
Closed

Magento rest API can still be accessed without 2FA even after enabling 2FA. #35

SimonPrins opened this issue Aug 8, 2019 · 1 comment
Labels
Component: 2FA Issues and Pull Requests related to Two Factor Authentication should be marked with this label
Projects
Backlog

Comments

@SimonPrins
Copy link

Preconditions

  1. Magento version 2.3.2

Steps to reproduce

  1. Enable 2FA.
  2. Obtain an admin access token.
  3. Use any of the admin rest API calls with the access token.

Expected result

  1. I would expect you to have to fill in a 2FA access token somewhere before being allowed to use any admin API calls, since a large potion of critical admin only functionality can be accessed through the API. For instance an optional two-factor code field could be added to the admin token API. Then when 2FA is enabled the code would have to be validated and refuse to grant an access token unless a valid authentication code is provided.

Actual result

  1. The rest API calls can be used without requiring 2FA.
@sdzhepa sdzhepa transferred this issue from another repository Jan 27, 2020
@sdzhepa sdzhepa added the Component: 2FA Issues and Pull Requests related to Two Factor Authentication should be marked with this label label Jan 27, 2020
@okorshenko okorshenko added this to Ready for Grooming in Backlog Jan 28, 2020
@phoenix128 phoenix128 self-assigned this Jan 29, 2020
@m2-community-project m2-community-project bot moved this from Ready for Grooming to Dev In Progress in Backlog Jan 29, 2020
@phoenix128 phoenix128 removed their assignment Jan 29, 2020
@m2-community-project m2-community-project bot moved this from Dev In Progress to Ready for Grooming in Backlog Jan 29, 2020
@nathanjosiah
Copy link
Contributor

Thank you for opening this issue! I am closing this along with others due to 2fa currently undergoing a very large internal rewrite/refactor this change is being addressed in the new version.

@m2-community-project m2-community-project bot moved this from Ready for Grooming to Done in Backlog Mar 20, 2020
magento-cicd2 pushed a commit that referenced this issue Jun 17, 2021
@nathanjosiah
Merge pull request #35 from magento-cia/MC-42010
57aeec6 
MC-42010: Update README.md of all of modules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: 2FA Issues and Pull Requests related to Two Factor Authentication should be marked with this label
Projects
Backlog
  
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nathanjosiah @sdzhepa @SimonPrins @phoenix128