diff --git a/src/routes/developer.js b/src/routes/developer.js index f752f6a0e..0269d579f 100644 --- a/src/routes/developer.js +++ b/src/routes/developer.js @@ -17,7 +17,7 @@ function login(req, res, next) { var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress || null; - if (user.twoFactorAuthenticationEnabled) { + if (!user.ghost && user.twoFactorAuthenticationEnabled) { if (!req.body.totpToken) return next(new HttpError(401, 'A totpToken must be provided')); let verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken }); diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js index 0e09617c4..545e98f9f 100644 --- a/src/routes/oauth2.js +++ b/src/routes/oauth2.js @@ -286,7 +286,7 @@ function login(req, res) { passport.authenticate('local', { failureRedirect: '/api/v1/session/login?' + failureQuery })(req, res, function () { - if (req.user.twoFactorAuthenticationEnabled) { + if (!req.user.ghost && req.user.twoFactorAuthenticationEnabled) { if (!req.body.totpToken) { let failureQuery = querystring.stringify({ error: 'A 2FA token is required', returnTo: returnTo }); return res.redirect('/api/v1/session/login?' + failureQuery); diff --git a/src/users.js b/src/users.js index f03d5d7be..13730385e 100644 --- a/src/users.js +++ b/src/users.js @@ -220,7 +220,10 @@ function verify(userId, password, callback) { if (error) return callback(error); // for just invited users the username may be still null - if (user.username && verifyGhost(user.username, password)) return callback(null, user); + if (user.username && verifyGhost(user.username, password)) { + user.ghost = true; + return callback(null, user); + } var saltBinary = new Buffer(user.salt, 'hex'); crypto.pbkdf2(password, saltBinary, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, CRYPTO_DIGEST, function (error, derivedKey) {