Merge pull request from GHSA-2crp-q9pc-457j (#7320)

* Merge pull request from GHSA-2crp-q9pc-457j * ensure API login only works if mfa is not required * add migration to log out users * add migration to clear users * Use `UV_SYSTEM_PYTHON` to allow the system Python interpreter instead of `VIRTUAL_ENV` (#7317) * Fix docs links - pin to same branch * Handle exception on migration * Make migration non-atomic --------- Co-authored-by: Matthias Mair <code@mjmair.com> Co-authored-by: Zanie Blue <contact@zanie.dev>
2025-08-07 12:22:11 +00:00 · 2024-05-24 23:36:00 +10:00
parent 9eccf69456
commit ea7aa93a28
19 changed files with 71 additions and 22 deletions
--- a/src/backend/InvenTree/users/api.py
+++ b/src/backend/InvenTree/users/api.py
@@ -3,11 +3,12 @@
 import datetime
 import logging

-from django.contrib.auth import get_user, login
+from django.contrib.auth import get_user, login, logout
 from django.contrib.auth.models import Group, User
 from django.urls import include, path, re_path
 from django.views.generic.base import RedirectView

+from allauth.account.adapter import get_adapter
 from dj_rest_auth.views import LoginView, LogoutView
 from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_view
 from rest_framework import exceptions, permissions
@@ -17,6 +18,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView

 import InvenTree.helpers
+from common.models import InvenTreeSetting
 from InvenTree.filters import SEARCH_ORDER_FILTER
 from InvenTree.mixins import (
    ListAPI,
@@ -216,7 +218,22 @@ class GroupList(ListCreateAPI):
 class Login(LoginView):
    """API view for logging in via API."""

-    ...
+    def process_login(self):
+        """Process the login request, ensure that MFA is enforced if required."""
+        # Normal login process
+        ret = super().process_login()
+
+        # Now check if MFA is enforced
+        user = self.request.user
+        adapter = get_adapter(self.request)
+
+        # User requires 2FA or MFA is enforced globally - no logins via API
+        if adapter.has_2fa_enabled(user) or InvenTreeSetting.get_setting(
+            'LOGIN_ENFORCE_MFA'
+        ):
+            logout(self.request)
+            raise exceptions.PermissionDenied('MFA required for this user')
+        return ret


@extend_schema_view(
--- a/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py
+++ b/src/backend/InvenTree/users/migrations/0011_auto_20240523_1640.py
@@ -0,0 +1,31 @@
+# Generated by Django 4.2.12 on 2024-05-23 16:40
+
+from importlib import import_module
+
+from django.conf import settings
+from django.db import migrations
+
+
+def clear_sessions(apps, schema_editor):
+    """Clear all user sessions."""
+
+    try:
+        engine = import_module(settings.SESSION_ENGINE)
+        engine.SessionStore.clear_expired()
+        print('Cleared all user sessions to deal with GHSA-2crp-q9pc-457j')
+    except Exception:
+        # Database may not be ready yet, so this does not matter anyhow
+        pass
+class Migration(migrations.Migration):
+
+    atomic = False
+
+    dependencies = [
+        ("users", "0010_alter_apitoken_key"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            clear_sessions, reverse_code=migrations.RunPython.noop,
+        )
+    ]