fix(auth): hide two factor authentication when using non-local user

Resolves https://github.com/go-vikunja/vikunja/issues/431

frontend/src/views/user/Settings.vue

@@ -68,7 +68,7 @@ const navigationItems = computed(() => {
 		{
 			title: t('user.settings.totp.title'),
 			routeName: 'user.settings.totp',
-			condition: totpEnabled.value,
+			condition: totpEnabled.value && isLocalUser.value,
 		},
 		{
 			title: t('user.export.title'),

frontend/src/views/user/settings/TOTP.vue

@@ -1,6 +1,6 @@
 <template>
 	<Card
-		v-if="totpEnabled"
+		v-if="totpEnabled && isLocalUser"
 		:title="$t('user.settings.totp.title')"
 	>
 		<x-button
@@ -108,6 +108,7 @@ import {success} from '@/message'
 
 import {useTitle} from '@/composables/useTitle'
 import {useConfigStore} from '@/stores/config'
+import {useAuthStore} from '@/stores/auth'
 import type {ITotp} from '@/modelTypes/ITotp'
 
 const {t} = useI18n({useScope: 'global'})
@@ -123,20 +124,23 @@ const totpDisableForm = ref(false)
 const totpDisablePassword = ref('')
 
 const configStore = useConfigStore()
+const authStore = useAuthStore()
 const totpEnabled = computed(() => configStore.totpEnabled)
+const isLocalUser = computed(() => authStore.info?.isLocalUser)
 
 totpStatus()
 
 async function totpStatus() {
-	if (!totpEnabled.value) {
+	if (!totpEnabled.value || !isLocalUser.value) {
 		return
 	}
 	try {
-		totp.value = await totpService.get()
+		totp.value = await totpService.get({})
 		totpSetQrCode()
-	} catch(e) {
+	} catch(e: unknown) {
 		// Error code 1016 means totp is not enabled, we don't need an error in that case.
-		if (e.response?.data?.code === 1016) {
+		const err = e as {response?: {data?: {code?: number}}}
+		if (err.response?.data?.code === 1016) {
 			totpEnrolled.value = false
 			return
 		}

pkg/routes/api/v1/user_totp.go

@@ -24,11 +24,11 @@ import (
 	"net/http"
 
 	"code.vikunja.io/api/pkg/db"
-
 	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/models"
 	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/api/pkg/web/handler"
+
 	"github.com/labstack/echo/v4"
 )
 
@@ -50,6 +50,11 @@ func UserTOTPEnroll(c echo.Context) error {
 		return handler.HandleHTTPError(err)
 	}
 
+	// Check if the user is a local user
+	if !u.IsLocalUser() {
+		return handler.HandleHTTPError(&user.ErrAccountIsNotLocal{UserID: u.ID})
+	}
+
 	s := db.NewSession()
 	defer s.Close()
 
@@ -87,6 +92,11 @@ func UserTOTPEnable(c echo.Context) error {
 		return handler.HandleHTTPError(err)
 	}
 
+	// Check if the user is a local user
+	if !u.IsLocalUser() {
+		return handler.HandleHTTPError(&user.ErrAccountIsNotLocal{UserID: u.ID})
+	}
+
 	passcode := &user.TOTPPasscode{
 		User: u,
 	}
@@ -145,6 +155,11 @@ func UserTOTPDisable(c echo.Context) error {
 		return handler.HandleHTTPError(err)
 	}
 
+	// Check if the user is a local user
+	if !u.IsLocalUser() {
+		return handler.HandleHTTPError(&user.ErrAccountIsNotLocal{UserID: u.ID})
+	}
+
 	s := db.NewSession()
 	defer s.Close()
 
@@ -190,6 +205,11 @@ func UserTOTPQrCode(c echo.Context) error {
 		return handler.HandleHTTPError(err)
 	}
 
+	// Check if the user is a local user
+	if !u.IsLocalUser() {
+		return handler.HandleHTTPError(&user.ErrAccountIsNotLocal{UserID: u.ID})
+	}
+
 	s := db.NewSession()
 	defer s.Close()
 
@@ -230,6 +250,11 @@ func UserTOTP(c echo.Context) error {
 		return handler.HandleHTTPError(err)
 	}
 
+	// Check if the user is a local user
+	if !u.IsLocalUser() {
+		return handler.HandleHTTPError(&user.ErrAccountIsNotLocal{UserID: u.ID})
+	}
+
 	s := db.NewSession()
 	defer s.Close()