disable basic auth for uploads if 2fa enabled

Author: ewdurbin

warehouse/accounts/__init__.py

@@ -32,7 +32,7 @@
     database_login_factory,
 )
 from warehouse.email import send_password_compromised_email_hibp
-from warehouse.errors import BasicAuthBreachedPassword
+from warehouse.errors import BasicAuthBreachedPassword, BasicAuthTwoFactorEnabled
 from warehouse.macaroons.auth_policy import (
     MacaroonAuthenticationPolicy,
     MacaroonAuthorizationPolicy,
@@ -73,6 +73,14 @@ def _basic_auth_login(username, password, request):
             raise _format_exc_status(
                 BasicAuthBreachedPassword(), breach_service.failure_message_plain
             )
+        elif login_service.has_two_factor(user.id):
+            raise _format_exc_status(
+                BasicAuthTwoFactorEnabled(),
+                (
+                    f"User {user.username} has two factor auth enabled, "
+                    "an API Token must be used to upload in place of password."
+                )
+            )
         elif login_service.check_password(
             user.id, password, tags=["method:auth", "auth_method:basic"]
         ):

warehouse/errors.py

@@ -18,6 +18,10 @@ class BasicAuthBreachedPassword(HTTPUnauthorized):
     pass
 
 
+class BasicAuthTwoFactorEnabled(HTTPUnauthorized):
+    pass
+
+
 class WarehouseDenied(Denied):
     def __new__(cls, s, *args, reason=None, **kwargs):
         inner = super().__new__(cls, s, *args, **kwargs)