From 7060ce3fe47c0bac1058abd3393c042045a4ba17 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Wed, 27 Mar 2024 21:03:49 +0100
Subject: [PATCH] Enforce 2FA for user admin routes

---
 README.md                           | 4 ++--
 src/controllers/admin_api.rs        | 3 +++
 src/controllers/admin_controller.rs | 4 ++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 96d5dd6..96a08c4 100644
--- a/README.md
+++ b/README.md
@@ -20,10 +20,10 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
   redirect_uri: https://mygit.mywebsite.com/
   # If you want new accounts to be granted access to this client by default
   default: true
-  # If you want the client to be granted to every users, regardless their account configuration
+  # If you want the client to be granted to every user, regardless their account configuration
   granted_to_all_users: true
   # If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
-  enforce_mfa_auth: true
+  enforce_2fa_auth: true
 ```
 
 On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
diff --git a/src/controllers/admin_api.rs b/src/controllers/admin_api.rs
index eeb78b6..0f6d9ea 100644
--- a/src/controllers/admin_api.rs
+++ b/src/controllers/admin_api.rs
@@ -4,6 +4,7 @@ use actix_web::{web, HttpResponse, Responder};
 
 use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor};
 use crate::data::action_logger::{Action, ActionLogger};
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::user::UserID;
 use crate::utils::string_utils;
@@ -19,6 +20,7 @@ struct FindUserResult {
 }
 
 pub async fn find_username(
+    _critical: CriticalRoute,
     req: web::Form<FindUserNameReq>,
     users: web::Data<Addr<UsersActor>>,
 ) -> impl Responder {
@@ -41,6 +43,7 @@ pub struct DeleteUserReq {
 }
 
 pub async fn delete_user(
+    _critical: CriticalRoute,
     user: CurrentUser,
     req: web::Form<DeleteUserReq>,
     users: web::Data<Addr<UsersActor>>,
diff --git a/src/controllers/admin_controller.rs b/src/controllers/admin_controller.rs
index e1f5770..57904bf 100644
--- a/src/controllers/admin_controller.rs
+++ b/src/controllers/admin_controller.rs
@@ -12,6 +12,7 @@ use crate::controllers::settings_controller::BaseSettingsPage;
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::app_config::AppConfig;
 use crate::data::client::{Client, ClientID, ClientManager};
+use crate::data::critical_route::CriticalRoute;
 use crate::data::current_user::CurrentUser;
 use crate::data::provider::{Provider, ProviderID, ProvidersManager};
 use crate::data::user::{GeneralSettings, GrantedClients, User, UserID};
@@ -98,6 +99,7 @@ pub struct UpdateUserQuery {
 }
 
 pub async fn users_route(
+    _critical: CriticalRoute,
     admin: CurrentUser,
     users: web::Data<Addr<UsersActor>>,
     update_query: Option<web::Form<UpdateUserQuery>>,
@@ -299,6 +301,7 @@ pub async fn users_route(
 }
 
 pub async fn create_user(
+    _critical: CriticalRoute,
     admin: CurrentUser,
     clients: web::Data<Arc<ClientManager>>,
     providers: web::Data<Arc<ProvidersManager>>,
@@ -332,6 +335,7 @@ pub struct EditUserQuery {
 }
 
 pub async fn edit_user(
+    _critical: CriticalRoute,
     admin: CurrentUser,
     clients: web::Data<Arc<ClientManager>>,
     providers: web::Data<Arc<ProvidersManager>>,