return 403 if user enables FIDO

2020-05-07 21:54:36 +02:00 · 2020-05-07 21:54:36 +02:00 · f929f23acc
parent 149a06dd68
commit f929f23acc
2 changed files with 4 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -766,6 +766,8 @@ Output:
 The `api_key` is used in all subsequent requests. It's empty if MFA is enabled.
 If user hasn't enabled MFA, `mfa_key` is empty.

+Return 403 if user has enabled FIDO. The client can display a message to suggest user to use the `API Key` instead.
+
 #### POST /api/auth/mfa

 Input:
--- a/app/api/views/auth.py
+++ b/app/api/views/auth.py
@ -55,6 +55,8 @@ def auth_login():
        return jsonify(error="Email or password incorrect"), 400
    elif not user.activated:
        return jsonify(error="Account not activated"), 400
+    elif user.fido_enabled():
+        return jsonify(error="Currently we don't support FIDO on mobile yet"), 403

    return jsonify(**auth_payload(user, device)), 200