Block API access when 2FA is required on account; closes #2791

2026-04-24 09:13:45 +02:00 · 2020-12-06 13:56:14 -08:00
parent 5d23d894ae
commit d22456d9ca
8 changed files with 101 additions and 40 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -84,6 +84,12 @@ class Kernel extends HttpKernel
            SubstituteClientApiBindings::class,
            'api..key:' . ApiKey::TYPE_ACCOUNT,
            AuthenticateIPAccess::class,
+            // This is perhaps a little backwards with the Client API, but logically you'd be unable
+            // to create/get an API key without first enabling 2FA on the account, so I suppose in the
+            // end it makes sense.
+            //
+            // You just wouldn't be authenticating with the API by providing a 2FA token.
+            RequireTwoFactorAuthentication::class,
        ],
        'daemon' => [
            SubstituteBindings::class,