Disable webdav for users that have 2fa enabled

fakuivan · November 1, 2017, 8:43pm

Is there a way to disallow webdav access for users that have 2fa enabled on their account?

fakuivan · November 2, 2017, 2:23pm

I couldn’t find any configuration to allow this kind of behaviour so I’d better code it myself.

I know I need to check for the existence of 2FA devices on SeafileDomainController.authDomainUser for the specified user, I don’t know however how to aproach it, since CcnetThreadedRpcClient has no methods that would allow the server to check that.

holantomas · November 3, 2017, 5:32am

Maybe Web API can you help

github.com

haiwen/seahub/blob/master/seahub/utils/two_factor_auth.py

# Copyright (c) 2012-2016 Seafile Ltd.
# encoding: utf-8
from constance import config

from seahub.two_factor.views.login import (
    two_factor_auth_enabled, handle_two_factor_auth, verify_two_factor_token,
)

def has_two_factor_auth():
    """Global setting to control enable/disable two factor auth.
    """
    return config.ENABLE_TWO_FACTOR_AUTH

github.com

haiwen/seahub/blob/master/seahub/two_factor/views/login.py#L187


    if self.steps.current == 'token':
        context['device'] = self.get_device()
        device = StaticDevice.objects.device_for_user(self.user.username)
        context['backup_tokens'] = device.token_set.count() if device else 0


    context['cancel_url'] = settings.LOGOUT_URL
    context['form_prefix'] = '%s-' % self.steps.current
    login_bg_image_path = get_login_bg_image_path()
    context['login_bg_image_path'] = login_bg_image_path
    context['remember_days'] = settings.TWO_FACTOR_DEVICE_REMEMBER_DAYS


    return context


def render_done(self, form, **kwargs):
    final_form_list = []
    # walk through the form list and try to validate the data again.
    for form_key in self.get_form_list():
        form_obj = self.get_form(
            step=form_key,
            data=self.storage.get_step_data(form_key),
            files=self.storage.get_step_files(

poly01 · September 7, 2020, 2:55pm

Hi,

I would like to ask when webdav access via normal password is disabled if 2FA is used.

@daniel.pan Back in October 2019 you announced this would come with 7.1.
See https://github.com/haiwen/seafile/issues/2017#issuecomment-540302623

My server runs with Seafile Pro 7.1.7. Even if I set ENABLE_WEBDAV_SECRET = True
I am able to login with normal user credentials.

This feature seems to be not implemented yet?

daniel.pan · September 9, 2020, 2:32am

This feature is not implemented yet as very few people need this.

poly01 · September 9, 2020, 7:06am

I don’t understand your argument here.
Obviously there was some demand over the last two years.
Furthermore the basic structures for a seperate password are already implemented for sso users.
Alternatively you can just disable webdav for users who enabled 2fa, as you announced.

For me it comes with some bitter taste if a feature is announced with concrete release information but then doesn’t got implemented.

daniel.pan · September 10, 2020, 8:41am

Thanks for your feedback. We will add this feature definitely in version 8.0.

92lleo · January 12, 2021, 4:26pm

@daniel.pan can you please add this to the 8.0.x changelog? While I really like this feature, it’s an important change and breaking for some users, e.g. Two factor auth is enabled, no access to webdav
It should at least be mentioned in the change log

upD8R · January 12, 2021, 6:30pm

Please make this behaviour configurable. At the moment I’m stuck on 7.1.8 because this change breaks my main use case. And yes, I do understand the related security issue.

Many thanks!

sagarbehere · January 12, 2021, 9:54pm

Would love to see a way to continue using webdav while using 2FA… perhaps with app specific passwords? It is odd to be forced to choose between webdav and higher security via 2FA. There are plenty of use cases where both 2FA and webdav are desired. Thanks.

mdovey · January 13, 2021, 12:32am

I agree that this should be configurable.

The setup that I had was to configure the front-end proxy (Apache in my case but the same could be achieved via nginx) so that webdav access was limited to a library called webdav. So if 2FA was enabled this would apply to all files stored in all other libraries but where an application required webdav it could still be used by using the “special” (lower security) webdav library.

8.x breaks this approach.

Matthew

mdovey · January 18, 2021, 2:00pm

Just to explain my setup. Instead of using the following in the Apache setup:

<Location /seafdav>
    ProxyPass "http://127.0.0.1:8080/seafdav"
</Location>

I’ve used the following:

<Location /seafdav/webdav>
    ProxyPass "http://127.0.0.1:8080/seafdav/webdav"
</Location>

This means that only the library called “webdav” in a users account is accessible via webdav so for a user with 2FA available all other libraries require 2FA to access, whereas only files in the webdav library can be accessed in a way which bypasses the 2FA (viz via webdav).

The same should be achievable in nginx by changing:

location /seafdav {
    proxy_pass         http://127.0.0.1:8080/seafdav;

to

location /seafdav/webdav {
    proxy_pass         http://127.0.0.1:8080/seafdav/webdav;

(but I’ve not tested this).

A better approach would be to allow webdav to be enabled on a library by library basis - however, this would require some additional development work rather than a quick fix in the proxy config - perhaps with the ability for an admin to control\limit this via some policy config.

In any case the heavy handed approach of just disabling webdav for 2FA accounts is undesirable so I would classify this as a big in 8.x!

Matthew

daniel.pan · January 23, 2021, 2:28am

This will be added in the next release.

mydoom · January 23, 2021, 8:42pm

Glad to hear. The way it should be!