From c4819602ec695c0cf06a3dc6209faa7ae32f079f Mon Sep 17 00:00:00 2001
From: Yang Luo <hsluoyz@qq.com>
Date: Tue, 26 Dec 2023 20:06:27 +0800
Subject: [PATCH] fix: add mfa API to isAllowedInDemoMode()

---
 authz/authz.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authz/authz.go b/authz/authz.go
index 878ca20ab62b..b52c13bd9819 100644
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -150,7 +150,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 
 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/callback" || urlPath == "/api/send-verification-code" || urlPath == "/api/send-email" || urlPath == "/api/verify-captcha" || urlPath == "/api/check-user-password" || strings.HasPrefix(urlPath, "/api/mfa/") {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information