# HG changeset patch # User RhodeCode Admin # Date 2024-04-24 09:13:35 # Node ID 6dc425cb765bc82b591edaf59a3b461614afd3e2 # Parent cab08940abd077e20f8a7c52925acfdb6d0464aa fix(2fa): fixed redirect loop in workflow when password reset was done. diff --git a/rhodecode/apps/_base/__init__.py b/rhodecode/apps/_base/__init__.py --- a/rhodecode/apps/_base/__init__.py +++ b/rhodecode/apps/_base/__init__.py @@ -144,6 +144,7 @@ class BaseAppView(object): skip_user_views = [ "logout", "login", + "check_2fa", "my_account_password", "my_account_password_update", ] diff --git a/rhodecode/lib/middleware/vcs.py b/rhodecode/lib/middleware/vcs.py --- a/rhodecode/lib/middleware/vcs.py +++ b/rhodecode/lib/middleware/vcs.py @@ -26,6 +26,7 @@ import urllib.parse from webob.exc import HTTPNotFound import rhodecode +from rhodecode.apps._base import ADMIN_PREFIX from rhodecode.lib.middleware.utils import get_path_info from rhodecode.lib.middleware.appenlight import wrap_in_appenlight_if_enabled from rhodecode.lib.middleware.simplegit import SimpleGit, GIT_PROTO_PAT @@ -164,14 +165,18 @@ def detect_vcs_request(environ, backends # login "_admin/login", + # 2fa + f"{ADMIN_PREFIX}/check_2fa", + f"{ADMIN_PREFIX}/setup_2fa", + # _admin/api is safe too - '_admin/api', + f'{ADMIN_PREFIX}/api', # _admin/gist is safe too - '_admin/gists++', + f'{ADMIN_PREFIX}/gists++', # _admin/my_account is safe too - '_admin/my_account++', + f'{ADMIN_PREFIX}/my_account++', # static files no detection '_static++', @@ -180,11 +185,11 @@ def detect_vcs_request(environ, backends '_debug_toolbar++', # skip ops ping, status - '_admin/ops/ping', - '_admin/ops/status', + f'{ADMIN_PREFIX}/ops/ping', + f'{ADMIN_PREFIX}/ops/status', # full channelstream connect should be VCS skipped - '_admin/channelstream/connect', + f'{ADMIN_PREFIX}/channelstream/connect', '++/repo_creating_check' ]