From 51365d066c9eb2955e2e974bb2028242b1089b97 Mon Sep 17 00:00:00 2001
From: NekoGirlSAIKOU <NekoGirlSAIKOU@outlook.com>
Date: Wed, 28 Aug 2024 18:15:54 +0800
Subject: [PATCH] fix: disallow users with 2FA enabled to access WebDAV

WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin.

BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.
---
 internal/model/user.go | 4 ++++
 server/webdav.go       | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/model/user.go b/internal/model/user.go
index 2d61a971..172c952f 100644
--- a/internal/model/user.go
+++ b/internal/model/user.go
@@ -56,6 +56,10 @@ func (u *User) IsAdmin() bool {
 	return u.Role == ADMIN
 }
 
+func (u *User) IsOtpEnabled() bool {
+	return u.OtpSecret != ""
+}
+
 func (u *User) ValidateRawPassword(password string) error {
 	return u.ValidatePwdStaticHash(StaticHash(password))
 }
diff --git a/server/webdav.go b/server/webdav.go
index 2b5c9618..b9048077 100644
--- a/server/webdav.go
+++ b/server/webdav.go
@@ -79,7 +79,7 @@ func WebDAVAuth(c *gin.Context) {
 		return
 	}
 	user, err := op.GetUserByName(username)
-	if err != nil || user.ValidateRawPassword(password) != nil {
+	if err != nil || user.IsOtpEnabled() || user.ValidateRawPassword(password) != nil {
 		if c.Request.Method == "OPTIONS" {
 			c.Set("user", guest)
 			c.Next()