Can force 2FA authent

src/controllers/login_api.rs

@@ -16,6 +16,7 @@ pub struct AuthWebauthnRequest {
     credential: PublicKeyCredential,
 }
 
+#[allow(clippy::too_many_arguments)]
 pub async fn auth_webauthn(
     id: Identity,
     req: web::Json<AuthWebauthnRequest>,
@@ -25,10 +26,6 @@ pub async fn auth_webauthn(
     users: web::Data<Addr<UsersActor>>,
     logger: ActionLogger,
 ) -> impl Responder {
-    if !SessionIdentity(Some(&id)).need_2fa_auth() {
-        return HttpResponse::Unauthorized().json("No 2FA required!");
-    }
-
     let user_id = SessionIdentity(Some(&id)).user_id();
 
     match manager.finish_authentication(&user_id, &req.opaque_state, &req.credential) {

src/controllers/login_controller.rs

@@ -13,6 +13,7 @@ use crate::controllers::base_controller::{
     build_fatal_error_page, redirect_user, redirect_user_for_login,
 };
 use crate::data::action_logger::{Action, ActionLogger};
+use crate::data::force_2fa_auth::Force2FAAuth;
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{Provider, ProvidersManager};
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
@@ -311,8 +312,9 @@ pub async fn choose_2fa_method(
     id: Option<Identity>,
     query: web::Query<ChooseSecondFactorQuery>,
     users: web::Data<Addr<UsersActor>>,
+    force2faauth: Force2FAAuth,
 ) -> impl Responder {
-    if !SessionIdentity(id.as_ref()).need_2fa_auth() {
+    if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
         log::trace!("User does not require 2fa auth, redirecting");
         return redirect_user_for_login(query.redirect.get());
     }
@@ -329,7 +331,7 @@ pub async fn choose_2fa_method(
     // Automatically choose factor if there is only one factor
     if user.get_distinct_factors_types().len() == 1 && !query.force_display {
         log::trace!("User has only one factor, using it by default");
-        return redirect_user(&user.two_factor[0].login_url(&query.redirect));
+        return redirect_user(&user.two_factor[0].login_url(&query.redirect, true));
     }
 
     HttpResponse::Ok().content_type("text/html").body(
@@ -360,6 +362,7 @@ pub struct LoginWithOTPForm {
 }
 
 /// Login with OTP
+#[allow(clippy::too_many_arguments)]
 pub async fn login_with_otp(
     id: Option<Identity>,
     query: web::Query<LoginWithOTPQuery>,
@@ -368,10 +371,11 @@ pub async fn login_with_otp(
     http_req: HttpRequest,
     remote_ip: RemoteIP,
     logger: ActionLogger,
+    force2faauth: Force2FAAuth,
 ) -> impl Responder {
     let mut danger = None;
 
-    if !SessionIdentity(id.as_ref()).need_2fa_auth() {
+    if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
         return redirect_user_for_login(query.redirect.get());
     }
 
@@ -446,8 +450,9 @@ pub async fn login_with_webauthn(
     query: web::Query<LoginWithWebauthnQuery>,
     manager: WebAuthManagerReq,
     users: web::Data<Addr<UsersActor>>,
+    force2faauth: Force2FAAuth,
 ) -> impl Responder {
-    if !SessionIdentity(id.as_ref()).need_2fa_auth() {
+    if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force {
         return redirect_user_for_login(query.redirect.get());
     }