Urdr bypasses 2FA upon basic auth

[jonandernovella]

Describe the bug

When 2FA is enabled on your Redmine account, urdr allows you to bypass this using simple username and password login.

Steps to reproduce

1. Enable 2FA on a Redmine account
2. Log in to urdr. No 2FA required. An api token is given to the urdr user which can be used to report time

[viklund]

So if it's possible to login with only password using the API when 2FA is enabled in redmine then it's a redmine bug.

I don't quite remember how urdr authenticates against redmine, but it could be interesting to know if it's the same behaviour if it's a new user to urdr that have 2 factor enabled.

In any case, this has a low priority.

[jonandernovella]

Related to https://www.redmine.org/issues/35001

[jonandernovella]

@viklund As of Redmine version 5 (https://github.com/redmine/redmine/releases/tag/5.0.2) users with 2FA enabled on Redmine will not be able to authenticate using basic authentication with username and password.

Urdr users with active sessions will still be able to use the system but afterwards urdr will presumably not be usable by users with 2FA enabled.

[viklund]

I'm currently working on getting Redmine v5 working. Though there are some problems with a few plugins. I guess you'll have to disable 2fa before using urdr?

[jonandernovella]

I'm currently working on getting Redmine v5 working. Though there are some problems with a few plugins. I guess you'll have to disable 2fa before using urdr?

I think I will create an issue to implement 2FA on urdr. Feel free to downprioritise it :)

[jonandernovella]

#560 should address this issue