• Robert Speicher's avatar
    Merge branch '2fa-api-check' into 'master' · 220755f5
    Robert Speicher authored
    2FA checks for API workflows
    
    ## What does this MR do?
    
    It adds a check to the API `/session` endpoint that will deny authentication requests to users that have 2FA enabled. In the error message it will instruct them to use a Personal Access Token instead.
    
    It adds a check to the `/oauth/token` endpoint, when `grant_type: 'password'` is used, so that no OAuth2 access token can be generated if the user has 2FA enabled. This endpoint should not be used by OAuth applications, anyway. OAuth apps should follow the flow of redirecting the user to GitLab, where 2FA access restrictions apply and logging them in there. Once successfully authenticated, the OAuth token is passed to the client.
    
    ## Why was this MR needed?
    
    No 2FA check on API endpoints.
    
    ## What are the relevant issue numbers?
    
    Fixes #2979
    
    See merge request !5820
    220755f5
session_spec.rb 3.11 KB