fix(sec): consider webauthn for external login

- Currently during external login (such as OAuth2), if the user is enrolled into Webauthn and not enrolled into TOTP then no 2FA is being done during external login and when account linking is set to `auto` then also during automatic linking. This results in bypassing the 2FA of the user. - Create a new unified function that checks if the user is enrolled into 2FA and use this when necessary. Rename the old `HasTwoFactorByUID` function to `HasTOTPByUID` which is a more appropiate naming. (cherry picked from commit df5d656827) Conflicts: the original commit was trimmed down to be fit for backport
2025-08-04 09:25:22 +02:00 · 2025-04-29 13:06:47 +02:00 · 2025-04-29 13:06:47 +02:00 · 23e6ca0415
commit 23e6ca0415
parent 87de43ba60
9 changed files with 72 additions and 17 deletions
--- a/models/auth/two_factor_test.go
+++ b/models/auth/two_factor_test.go
@ -0,0 +1,35 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+package auth
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHasTwoFactorByUID(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("No twofactor", func(t *testing.T) {
+		ok, err := HasTwoFactorByUID(db.DefaultContext, 2)
+		require.NoError(t, err)
+		assert.False(t, ok)
+	})
+
+	t.Run("WebAuthn credential", func(t *testing.T) {
+		ok, err := HasTwoFactorByUID(db.DefaultContext, 32)
+		require.NoError(t, err)
+		assert.True(t, ok)
+	})
+
+	t.Run("TOTP", func(t *testing.T) {
+		ok, err := HasTwoFactorByUID(db.DefaultContext, 24)
+		require.NoError(t, err)
+		assert.True(t, ok)
+	})
+}