[IMP] auth*: adapt auth_* modules for totp

Prevent non-interactive RPC access when TOTP is enabled, also via external auth services.

[IMP] auth: adapt auth_ modules for totp
7cf64c21 · Olivier Dony · a9a65097 · 7cf64c21 · 7cf64c21
Commit 7cf64c21 authored 4 years ago by Olivier Dony
--- a/addons/auth_ldap/models/res_users.py
+++ b/addons/auth_ldap/models/res_users.py
@@ -32,7 +32,8 @@ class Users(models.Model):
        try:
            return super(Users, self)._check_credentials(password, env)
        except AccessDenied:
-            if self.env.user.active:
+            passwd_allowed = env['interactive'] or not self.env.user._rpc_api_keys_only()
+            if passwd_allowed and self.env.user.active:
                Ldap = self.env['res.company.ldap']
                for conf in Ldap._get_ldap_dicts():
                    if Ldap._authenticate(conf, self.env.user.login, password):

--- a/addons/auth_oauth/models/res_users.py
+++ b/addons/auth_oauth/models/res_users.py
@@ -113,9 +113,12 @@ class ResUsers(models.Model):
        try:
            return super(ResUsers, self)._check_credentials(password, env)
        except AccessDenied:
-            res = self.sudo().search([('id', '=', self.env.uid), ('oauth_access_token', '=', password)])
-            if not res:
-                raise
+            passwd_allowed = env['interactive'] or not self.env.user._rpc_api_keys_only()
+            if passwd_allowed and self.env.user.active:
+                res = self.sudo().search([('id', '=', self.env.uid), ('oauth_access_token', '=', password)])
+                if res:
+                    return
+            raise

    def _get_session_token_fields(self):
        return super(ResUsers, self)._get_session_token_fields() | {'oauth_access_token'}