Enable app-specific password authentication for API login

diff --git a/include/api.php b/include/api.php
index 51ca1e4e17b794c7ba687e03b1c04891dc60c68a..b1bb49c517116b6c31841169bd65f1811c0ffd1e 100644 (file)
--- a/include/api.php
+++ b/include/api.php
@@ -236,7 +236,7 @@ function api_login(App $a)
        if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) {
                $record = $addon_auth['user_record'];
        } else {
-               $user_id = User::authenticate(trim($user), trim($password));
+               $user_id = User::authenticate(trim($user), trim($password), true);
                if ($user_id !== false) {
                        $record = DBA::selectFirst('user', [], ['uid' => $user_id]);
                }

diff --git a/src/Model/User.php b/src/Model/User.php
index de6931052f50bb3c46a302fd654a921ff50be399..141ecf059802d88d7956801262b593e6ec8c925d 100644 (file)
--- a/src/Model/User.php
+++ b/src/Model/User.php
@@ -17,6 +17,7 @@ use Friendica\Core\System;
 use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\Model\Photo;
+use Friendica\Model\TwoFactor\AppSpecificPassword;
 use Friendica\Object\Image;
 use Friendica\Util\Crypto;
 use Friendica\Util\DateTimeFormat;
@@ -267,17 +268,18 @@ class User
        /**
         * Authenticate a user with a clear text password
         *
-        * @brief Authenticate a user with a clear text password
-        * @param mixed $user_info
+        * @brief      Authenticate a user with a clear text password
+        * @param mixed  $user_info
         * @param string $password
+        * @param bool   $third_party
         * @return int|boolean
         * @deprecated since version 3.6
-        * @see User::getIdFromPasswordAuthentication()
+        * @see        User::getIdFromPasswordAuthentication()
         */
-       public static function authenticate($user_info, $password)
+       public static function authenticate($user_info, $password, $third_party = false)
        {
                try {
-                       return self::getIdFromPasswordAuthentication($user_info, $password);
+                       return self::getIdFromPasswordAuthentication($user_info, $password, $third_party);
                } catch (Exception $ex) {
                        return false;
                }
@@ -287,16 +289,22 @@ class User
         * Returns the user id associated with a successful password authentication
         *
         * @brief Authenticate a user with a clear text password
-        * @param mixed $user_info
+        * @param mixed  $user_info
         * @param string $password
+        * @param bool   $third_party
         * @return int User Id if authentication is successful
         * @throws Exception
         */
-       public static function getIdFromPasswordAuthentication($user_info, $password)
+       public static function getIdFromPasswordAuthentication($user_info, $password, $third_party = false)
        {
                $user = self::getAuthenticationInfo($user_info);
 
-               if (strpos($user['password'], '$') === false) {
+               if ($third_party && PConfig::get($user['uid'], '2fa', 'verified')) {
+                       // Third-party apps can't verify two-factor authentication, we use app-specific passwords instead
+                       if (AppSpecificPassword::authenticateUser($user['uid'], $password)) {
+                               return $user['uid'];
+                       }
+               } elseif (strpos($user['password'], '$') === false) {
                        //Legacy hash that has not been replaced by a new hash yet
                        if (self::hashPasswordLegacy($password) === $user['password']) {
                                self::updatePasswordHashed($user['uid'], self::hashPassword($password));