Impact
When logging in via the API (which includes the new React user interface), any MFA (multi factor authentications) requirements are bypassed, allowing the user to login without providing additional credentialas.
MFA Requirements
InvenTree provides support for multi-factor authentication with 2FA / TOTP integration. This can be enforced on a single user basis (if the user configures MFA) or enforced for all users (via a global configuration option). If either user or global MFA is configured, then the user should not be able to login without providing their MFA credentials.
API Login Endpoint
The /api/auth/login/ endpoint does not observe these requirements, and allows users to login (and create a new authenticated session), without providing the required authentication tokens.
React (PUI) Interface
The new React interface - also known as the Platform User Interface (PUI) - uses the /api/auth/login/ endpoint to log the user in. Users can login using only a valid username / password combination - even if MFA is configured.
Fix
The /api/auth/login/ endpoint will be immediately patched to prevent login for users who have MFA configured. This will temporarily mean that the PUI interface cannot be used if users have MFA configured, until a more comprehensive solution is developed.
Patches
Security patches will be applied to the following releases:
0.16.0 - Upcoming release candidate0.15.2 - Patch will be backported to the 0.15.x branch0.14.6 - Patch will be backported to the 0.14.x branch
Workarounds
None
sur5r Reporter
Impact
When logging in via the API (which includes the new React user interface), any MFA (multi factor authentications) requirements are bypassed, allowing the user to login without providing additional credentialas.
MFA Requirements
InvenTree provides support for multi-factor authentication with 2FA / TOTP integration. This can be enforced on a single user basis (if the user configures MFA) or enforced for all users (via a global configuration option). If either user or global MFA is configured, then the user should not be able to login without providing their MFA credentials.
API Login Endpoint
The
/api/auth/login/endpoint does not observe these requirements, and allows users to login (and create a new authenticated session), without providing the required authentication tokens.React (PUI) Interface
The new React interface - also known as the Platform User Interface (PUI) - uses the
/api/auth/login/endpoint to log the user in. Users can login using only a validusername / passwordcombination - even if MFA is configured.Fix
The
/api/auth/login/endpoint will be immediately patched to prevent login for users who have MFA configured. This will temporarily mean that the PUI interface cannot be used if users have MFA configured, until a more comprehensive solution is developed.Patches
Security patches will be applied to the following releases:
0.16.0- Upcoming release candidate0.15.2- Patch will be backported to the0.15.xbranch0.14.6- Patch will be backported to the0.14.xbranchWorkarounds
None