fix: disallow users with 2FA enabled to access WebDAV

WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin. BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.
2024-08-28 18:15:54 +08:00 · 2024-08-28 18:15:54 +08:00 · 51365d066c
parent b910b8917f
commit 51365d066c
2 changed files with 5 additions and 1 deletions
--- a/internal/model/user.go
+++ b/internal/model/user.go
@ -56,6 +56,10 @@ func (u *User) IsAdmin() bool {
 	return u.Role == ADMIN
 }

+func (u *User) IsOtpEnabled() bool {
+	return u.OtpSecret != ""
+}
+
 func (u *User) ValidateRawPassword(password string) error {
 	return u.ValidatePwdStaticHash(StaticHash(password))
 }
--- a/server/webdav.go
+++ b/server/webdav.go
@ -79,7 +79,7 @@ func WebDAVAuth(c *gin.Context) {
 		return
 	}
 	user, err := op.GetUserByName(username)
-	if err != nil || user.ValidateRawPassword(password) != nil {
+	if err != nil || user.IsOtpEnabled() || user.ValidateRawPassword(password) != nil {
 		if c.Request.Method == "OPTIONS" {
 			c.Set("user", guest)
 			c.Next()