From 53e46fb1a24249dd85b49c214966d85e019cc96c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Mon, 16 Nov 2020 12:27:29 +0100
Subject: [PATCH] Don't check mfa for /munin/* admin routes

---
 management/mfa.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/management/mfa.py b/management/mfa.py
index 32eb5183..9edd0f6c 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -110,6 +110,14 @@ def validate_auth_mfa(email, request, env):
 	if len(mfa_state) == 0:
 		return (True, [])
 
+	# munin routes are proxied by our control panel. We do not have
+	# full control over their routes so credentials are supplied via
+	# a basic HTTP authentication prompt.
+	# There is neither a way to input a mfa credential there nor can we pass
+	# the user_api_key from localStorage so mfa should be disabled for these routes.
+	if request.full_path.startswith("/munin"):
+		return (True, [])
+
 	# Try the enabled MFA modes.
 	hints = set()
 	for mfa_mode in mfa_state: