From 85e839e21d36ac7b7b497a2d2ee8ebf1053f1788 Mon Sep 17 00:00:00 2001 From: Gusted Date: Mon, 18 Aug 2025 00:03:51 +0200 Subject: [PATCH] fix: require password login for creation of new token - The creation of new API tokens for users via the API is guarded behind a extra check. This extra makes sure the user is authorized via the reverse proxy method (if enabled) or via basic authorization. - For, what seems to me, historical reasons the basic authorization also handles logging in via the API token. - This results in a API token (with `write:user` scope) or OAuth2 token being able to create a new API token with escalated privileges. - Add a new condition to this check to ensure the user logged in via password. - Change error to better indicate what went wrong. --- routers/api/v1/api.go | 7 +++++-- services/auth/basic.go | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index ca65148a35..307ed38882 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -414,8 +414,11 @@ func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) { if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName { return } - if !ctx.IsBasicAuth { - ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required") + + // Require basic authorization method to be used and that basic + // authorization used password login to verify the user. + if passwordLogin, ok := ctx.Data["IsPasswordLogin"].(bool); !ok || !passwordLogin { + ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth method not allowed") return } } diff --git a/services/auth/basic.go b/services/auth/basic.go index f259ad5f69..4ffe712744 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -151,6 +151,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore log.Trace("Basic Authorization: Logged in user %-v", u) + store.GetData()["IsPasswordLogin"] = true return u, nil }