Properly handle one-time password in JSON-RPC API #7459

julien-f · 2024-03-11T11:33:10Z

This is a security issue because OTP was only check when signing in via xo-web, not via session.signIn in the JSON-RPC API.

Commit
- Title follows commit conventions
- Reference the relevant issue (Fixes #007, See xoa-support#42, See https://...)
- If bug fix, add Introduced by
Changelog
- If visible by XOA users, add changelog entry
- Update "Packages to release" in CHANGELOG.unreleased.md
PR
- If UI changes, add screenshots
- If not finished or not tested, open as Draft

packages/xo-server/src/xo-mixins/authentication.mjs

Fixes zammad#22688

julien-f force-pushed the api-otp branch 2 times, most recently from f4d079f to 70cd602 Compare March 11, 2024 11:42

julien-f requested a review from MathieuRA March 11, 2024 11:42

MathieuRA reviewed Mar 11, 2024

View reviewed changes

packages/xo-server/src/xo-mixins/authentication.mjs Show resolved Hide resolved

MathieuRA requested a review from fbeauchamp March 11, 2024 14:42

MathieuRA approved these changes Mar 11, 2024

View reviewed changes

fbeauchamp approved these changes Mar 12, 2024

View reviewed changes

julien-f added 2 commits March 14, 2024 16:57

fix(xo-server/authenticateUser): check OTP

cc42878

Fixes zammad#22688

feat(xo-cli): support OTP

587f034

julien-f force-pushed the api-otp branch from 70cd602 to 587f034 Compare March 14, 2024 15:59

julien-f merged commit c6451cf into master Mar 14, 2024
1 check passed

julien-f deleted the api-otp branch March 14, 2024 15:59

Provide feedback