Mirrors/ProxMenux
1
0
Fork 0
mirror of https://github.com/MacRimi/ProxMenux.git synced 2026-02-18 16:36:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 2FA

Browse Source
This commit is contained in:
MacRimi
2026-02-13 10:51:27 +01:00
parent 00230d1b8f
commit c89baf34a8
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
AppImage/scripts/auth_manager.py
View File

@@ -786,12 +786,15 @@ def authenticate(username, password, totp_token=None):
if config.get("totp_enabled"): if config.get("totp_enabled"):
if not totp_token: if not totp_token:
# First step: password OK, now request TOTP code (not a failure)
return False, None, True, "2FA code required" return False, None, True, "2FA code required"
# Verify TOTP token or backup code # Verify TOTP token or backup code
success, message = verify_totp(username, totp_token, use_backup=len(totp_token) == 9) # Backup codes are formatted XXXX-XXXX success, message = verify_totp(username, totp_token, use_backup=len(totp_token) == 9) # Backup codes are formatted XXXX-XXXX
if not success: if not success:
return False, None, True, message # TOTP code is wrong: return requires_totp=False so the caller
# logs it as a real authentication failure for Fail2Ban
return False, None, False, "Invalid 2FA code"
token = generate_token(username) token = generate_token(username)
if token: if token:

12
AppImage/scripts/flask_auth_routes.py
View File

@@ -157,15 +157,23 @@ def auth_login():
if success: if success:
return jsonify({"success": True, "token": token, "message": message}) return jsonify({"success": True, "token": token, "message": message})
elif requires_totp: elif requires_totp:
# First step: password OK, requesting TOTP code (not a failure)
return jsonify({"success": False, "requires_totp": True, "message": message}), 200 return jsonify({"success": False, "requires_totp": True, "message": message}), 200
else: else:
# Log failed auth for Fail2Ban detection # Authentication failure (wrong password or wrong TOTP code)
client_ip = _get_client_ip() client_ip = _get_client_ip()
auth_logger.warning( auth_logger.warning(
"authentication failure; rhost=%s user=%s", "authentication failure; rhost=%s user=%s",
client_ip, username or "unknown" client_ip, username or "unknown"
) )
return jsonify({"success": False, "message": message}), 401 # If user submitted a TOTP token that was wrong, tell frontend
# to keep showing the TOTP field (not go back to password step)
is_totp_failure = totp_token and "2FA" in message
return jsonify({
"success": False,
"message": message,
"requires_totp": is_totp_failure
}), 401
except Exception as e: except Exception as e:
return jsonify({"success": False, "message": str(e)}), 500 return jsonify({"success": False, "message": str(e)}), 500