2 Factor Authentication isn't required when using REST API, despite being enabled.
I'm building a little iOS App for GitLab (http://www.somerobots.com), anyway I've noticed that when authenticating with the REST API - despite having Two Factor Authentication enabled on my account, the REST API does not require my Authentication token generated by the Google Authenticator App.
Would love to see this fixed so I can put 2 factor auth in the App.
- Implement "Personal Access Tokens" — The user creates a token (must be logged in, so 2FA rules apply), gives it to the client app, and the client uses that for all API calls. (!3749 (merged))
Document the planned changes to the API for the next task.
- Update the documentation !4815 (merged)
- Write a blog post
- Disable the "Resource Owner Password Credentials" flow for 2FA users.
- Disable the sessions API for 2FA users.