go-gitea · lafriks · Apr 19, 2019 · Apr 18, 2019 · Apr 18, 2019 · Apr 18, 2019
diff --git a/modules/auth/auth.go b/modules/auth/auth.go
@@ -214,9 +214,10 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
 					}
 					return nil, false
 				}
+			} else {
+				ctx.Data["IsApiToken"] = true
 			}
 
-			ctx.Data["IsApiToken"] = true
 			return u, true
 		}
 	}

diff --git a/modules/context/api.go b/modules/context/api.go
@@ -114,6 +114,31 @@ func (ctx *APIContext) RequireCSRF() {
 	}
 }
 
+// CheckForOTP validateds OTP
+func (ctx *APIContext) CheckForOTP() {
+	if ctx.Data["IsApiToken"] == true {
+		return
+	}
+	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
+	twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
+	if err != nil {
+		if models.IsErrTwoFactorNotEnrolled(err) {
+			return // No 2FA enrollment for this user
+		}
+		ctx.Context.Error(500)
+		return
+	}
+	ok, err := twofa.ValidateTOTP(otpHeader)
+	if err != nil {
+		ctx.Context.Error(500)
+		return
+	}
+	if !ok {
+		ctx.Context.Error(401)
+		return
+	}
+}
+
 // APIContexter returns apicontext as macaron middleware
 func APIContexter() macaron.Handler {
 	return func(c *Context) {

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -169,23 +169,26 @@ func repoAssignment() macaron.Handler {
 // Contexter middleware already checks token for user sign in process.
 func reqToken() macaron.Handler {
 	return func(ctx *context.APIContext) {
-		if true == ctx.Data["IsApiToken"] {
+		if true == ctx.Data["IsApiToken"] || ctx.Context.IsBasicAuth {
+			ctx.CheckForOTP()
 			return
 		}
 		if ctx.IsSigned {
 			ctx.RequireCSRF()
+			ctx.CheckForOTP()
 			return
 		}
 		ctx.Context.Error(401)
 	}
 }
 
 func reqBasicAuth() macaron.Handler {
-	return func(ctx *context.Context) {
-		if !ctx.IsBasicAuth {
-			ctx.Error(401)
+	return func(ctx *context.APIContext) {
+		if !ctx.Context.IsBasicAuth {
+			ctx.Context.Error(401)
 			return
 		}
+		ctx.CheckForOTP()
 	}
 }