API / Auth: Require OTP if Enforce TFA is enabled

[joselcvarela]

While doing some tests I have enabled "Require 2FA" under the role page.
Then I have tried to login with a user via API under this role and it worked.

I was expecting that to not work, as I have enabled the Require 2FA.
Although the login worked expected.

In this PR we fix this behaviour so if Required 2FA is enabled on role, then an otp will be required on login.

Scope

What's changed:

• Require OTP on login endpoint if role enforces 2FA

Potential Risks / Drawbacks

• People thinking that MFA only applies to App and not API might have issues as otp field is now required per role conditions.

Review Notes / Questions

• N/A

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9d67fbf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[paescuj]

@joselcvarela Hmm, it seems like the previous check was designed that way in order to still allow users to login and thus being able to set-up 2FA after role setting has been changed to "Require 2FA". Such users are currently redirected by the App:

directus/app/src/router.ts

Lines 140 to 142 in dfe6cca

	if (userStore.currentUser.role.enforce_tfa && userStore.currentUser.tfa_secret === null) {
	if (userStore.currentUser.last_page === to.fullPath) {
	return '/tfa-setup';

So maybe instead of adjusting the login method, we can block all routes except for /users/me/tfa/* via a middleware, as long as a user hasn't set-up 2FA yet?

[br41nslug]

As Pascal mentioned the user still working after toggling the "require 2fa" options is very much intentional until the first time the user logs into the App to actually configure 2fa since we cannot ask for otp codes before they have been set up.

[br41nslug]

Looking back on this, the current solution blocks all logins when the "require TFA" is enabled for a role preventing users from logging into the app and setting up TFA which isnt ideal. The desired flow here is:

• when logging in using the App you get redirected to the TFA setup
• when logging in using the Api you get an error instructing you to set up TFA by logging into the App (as blindly redirecting may break server api interaction in unforeseen ways)
• We should probably document the API only flow for configuring TFA for "No App Access" + "Require TFA" roles