FEATURE: Disallow login via omniauth when user has 2FA enabled.

2025-09-05 08:59:27 +08:00 · 2018-03-01 15:47:07 +08:00 · 2018-03-01 15:47:07 +08:00 · fb75f188ba
commit fb75f188ba
parent 0fabf80dca
7 changed files with 77 additions and 25 deletions
--- a/app/assets/javascripts/discourse/controllers/login.js.es6
+++ b/app/assets/javascripts/discourse/controllers/login.js.es6
@ -27,16 +27,20 @@ export default Ember.Controller.extend(ModalFunctionality, {
  loggingIn: false,
  loggedIn: false,
  processingEmailLink: false,
+  showLoginButtons: true,

  canLoginLocal: setting('enable_local_logins'),
  canLoginLocalWithEmail: setting('enable_local_logins_via_email'),
  loginRequired: Em.computed.alias('application.loginRequired'),

  resetForm: function() {
-    this.set('authenticate', null);
-    this.set('loggingIn', false);
-    this.set('loggedIn', false);
-    this.set('secondFactorRequired', false);
+    this.setProperties({
+      'authenticate': null,
+      'loggingIn': false,
+      'loggedIn': false,
+      'secondFactorRequired': false,
+      'showLoginButtons': true,
+    });
    $("#credentials").show();
    $("#second-factor").hide();
  },
@ -250,16 +254,28 @@ export default Ember.Controller.extend(ModalFunctionality, {
  }).property('authenticate'),

  authenticationComplete(options) {
-
    const self = this;
-    function loginError(errorMsg, className) {
+    function loginError(errorMsg, className, callback) {
      showModal('login');
-      Ember.run.next(function() {
+
+      Ember.run.next(() => {
+        callback();
        self.flash(errorMsg, className || 'success');
        self.set('authenticate', null);
      });
    }

+    if (options.omniauth_disallow_totp) {
+      return loginError(I18n.t('login.omniauth_disallow_totp'), 'error', () => {
+        this.setProperties({
+          'loginName': options.email,
+          'showLoginButtons': false,
+        });
+
+        $('#login-account-password').focus();
+      });
+    }
+
    for (let i=0; i<AuthErrors.length; i++) {
      const cond = AuthErrors[i];
      if (options[cond]) {
--- a/app/assets/javascripts/discourse/templates/mobile/modal/login.hbs
+++ b/app/assets/javascripts/discourse/templates/mobile/modal/login.hbs
@ -1,10 +1,12 @@
 {{#login-modal screenX=lastX screenY=lastY loginName=loginName loginPassword=loginPassword loginSecondFactor=loginSecondFactor action="login"}}
  {{#d-modal-body title="login.title" class="login-modal"}}
-    {{login-buttons
-      canLoginLocalWithEmail=canLoginLocalWithEmail
-      processingEmailLink=processingEmailLink
-      emailLogin='emailLogin'
-      externalLogin='externalLogin'}}
+    {{#if showLoginButtons}}
+      {{login-buttons
+        canLoginLocalWithEmail=canLoginLocalWithEmail
+        processingEmailLink=processingEmailLink
+        emailLogin='emailLogin'
+        externalLogin='externalLogin'}}
+    {{/if}}

    {{#if canLoginLocal}}
      <form id='login-form' method='post'>
--- a/app/assets/javascripts/discourse/templates/modal/login.hbs
+++ b/app/assets/javascripts/discourse/templates/modal/login.hbs
@ -1,10 +1,12 @@
 {{#login-modal screenX=lastX screenY=lastY loginName=loginName loginPassword=loginPassword loginSecondFactor=loginSecondFactor action="login"}}
  {{#d-modal-body title="login.title" class="login-modal"}}
-    {{login-buttons
-      canLoginLocalWithEmail=canLoginLocalWithEmail
-      processingEmailLink=processingEmailLink
-      emailLogin='emailLogin'
-      externalLogin='externalLogin'}}
+    {{#if showLoginButtons}}
+      {{login-buttons
+        canLoginLocalWithEmail=canLoginLocalWithEmail
+        processingEmailLink=processingEmailLink
+        emailLogin='emailLogin'
+        externalLogin='externalLogin'}}
+    {{/if}}

    {{#if canLoginLocal}}
      <form id='login-form' method='post'>