Don't check mfa for /munin/* admin routes

2025-04-19 02:42:15 +00:00 · 2020-11-16 12:27:29 +01:00 · 2020-11-16 12:27:29 +01:00 · 53e46fb1a2
commit 53e46fb1a2
parent 7fd35bbd11
1 changed files with 8 additions and 0 deletions
--- a/management/mfa.py
+++ b/management/mfa.py
@ -110,6 +110,14 @@ def validate_auth_mfa(email, request, env):
 	if len(mfa_state) == 0:
 		return (True, [])

+	# munin routes are proxied by our control panel. We do not have
+	# full control over their routes so credentials are supplied via
+	# a basic HTTP authentication prompt.
+	# There is neither a way to input a mfa credential there nor can we pass
+	# the user_api_key from localStorage so mfa should be disabled for these routes.
+	if request.full_path.startswith("/munin"):
+		return (True, [])
+
 	# Try the enabled MFA modes.
 	hints = set()
 	for mfa_mode in mfa_state: