Improvement #2475
Updated by liaham 6 months ago
When a user has 2FA enabled the WebDAV digest won't be created on sign in. and authentication failed due to missing digest as stated below: ``` shell I, [2024-09-28T12:25:28.170633 #1] INFO -- : Authentication: digest D, [2024-09-28T12:25:28.181372 #1] DEBUG -- : User Load (1.1ms) SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`login` = 'test_user' LIMIT 1 D, [2024-09-28T12:25:28.182332 #1] DEBUG -- : ↳ plugins/redmine_dmsf/lib/redmine_dmsf/webdav/dmsf_controller.rb:70:in `authenticate' D, [2024-09-28T12:25:28.184491 #1] DEBUG -- : Token Load (0.7ms) SELECT `tokens`.* FROM `tokens` WHERE `tokens`.`user_id` = 1 AND `tokens`.`action` = 'dmsf_webdav_digest' LIMIT 1 D, [2024-09-28T12:25:28.185237 #1] DEBUG -- : ↳ plugins/redmine_dmsf/lib/redmine_dmsf/webdav/dmsf_controller.rb:79:in `authenticate' E, [2024-09-28T12:25:28.185446 #1] ERROR -- : Digest authentication: no digest found for test_user ``` The reason is in `RedmineDmsf::Hooks::Controllers::AccountControllerHooks#controller_account_success_authentication_after` where the digest will be created only if the controller parameter `password` is present. This works for a user authentication with login name and password. A user with 2fa enabled runs differently through the authentication process and crosses the hook not before the 2fa token was checked. Hence, there won't be a password parameter anymore. Instead of manipulating controller params to provide the password I suggest only a slight change in the users preferences box on my account page: When the user has 2FA enabled and no token is found the link should not show `reset` but `add`. This would make it more explicit that the token is not expected to exist and can be created if missing.