mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-08-30 22:23:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat: Global 2FA enforcement (#8753)

Browse source 
resolves #8549

This PR add a config to enforce 2FA for the whole Forgejo instance. It can be configured to `none`, `admin` or `all`.
A user who is required to enable 2FA is like a disabled user. He can only see the `/user/settings/security`-Page to enable 2FA, this should be similar to a user which needs to change his password. Also api and git-commands are not allowed.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

I will do it, if the general idea of this PR is a good feature.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8753): <!--number 8753 --><!--line 0 --><!--description R2xvYmFsIDJGQSBlbmZvcmNlbWVudA==-->Global 2FA enforcement<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8753
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Ellen Εμιλία Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
This commit is contained in:
zokki 2025-08-15 10:56:45 +02:00 committed by Earl Warren
commit d6838462b8
29 changed files with 1179 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

18
services/context/context_response.go
View file

@ -17,6 +17,7 @@ import (
"syscall"
"time"
"forgejo.org/models/auth"
user_model "forgejo.org/models/user"
"forgejo.org/modules/base"
"forgejo.org/modules/httplib"
@ -129,6 +130,21 @@ func (ctx *Context) RenderWithErr(msg any, tpl base.TplName, form any) {
ctx.HTML(http.StatusOK, tpl)
}
// validateTwoFactorRequirement sets ctx-data to hide/show ui-elements depending on the GlobalTwoFactorRequirement
func (ctx *Context) validateTwoFactorRequirement() {
if ctx.Doer == nil || !ctx.Doer.MustHaveTwoFactor() {
return
}
hasTwoFactor, err := auth.HasTwoFactorByUID(ctx, ctx.Doer.ID)
if err != nil {
log.ErrorWithSkip(2, "Error getting 2fa: %s", err)
// fallthrough to set the variables
}
ctx.Data["MustEnableTwoFactor"] = !hasTwoFactor
ctx.Data["HideNavbarLinks"] = !hasTwoFactor
}
// NotFound displays a 404 (Not Found) page and prints the given error, if any.
func (ctx *Context) NotFound(logMsg string, logErr error) {
ctx.notFoundInternal(logMsg, logErr)
@ -156,6 +172,7 @@ func (ctx *Context) notFoundInternal(logMsg string, logErr error) {
return
}
ctx.validateTwoFactorRequirement()
ctx.Data["IsRepo"] = ctx.Repo.Repository != nil
ctx.Data["Title"] = ctx.Locale.TrString("error.not_found.title")
ctx.HTML(http.StatusNotFound, tplStatus404)
@ -181,6 +198,7 @@ func (ctx *Context) serverErrorInternal(logMsg string, logErr error) {
}
}
ctx.validateTwoFactorRequirement()
ctx.HTML(http.StatusInternalServerError, tplStatus500)
}