Fix basic auth with webauthn (#32531)

2025-05-28 04:47:31 +08:00 · 2024-11-16 09:52:16 -08:00
parent 5eebe1dc5f
commit c3dedcffa7
2 changed files with 63 additions and 0 deletions
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@ -5,6 +5,7 @@
 package auth

 import (
+	"errors"
 	"net/http"
 	"strings"

@ -141,6 +142,15 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	}

 	if skipper, ok := source.Cfg.(LocalTwoFASkipper); !ok || !skipper.IsSkipLocalTwoFA() {
+		// Check if the user has webAuthn registration
+		hasWebAuthn, err := auth_model.HasWebAuthnRegistrationsByUID(req.Context(), u.ID)
+		if err != nil {
+			return nil, err
+		}
+		if hasWebAuthn {
+			return nil, errors.New("Basic authorization is not allowed while webAuthn enrolled")
+		}
+
 		if err := validateTOTP(req, u); err != nil {
 			return nil, err
 		}