Merge pull request #1247 from ScilifelabDataCentre/twofactor

Temporary / additional fix for deactivation of TOTP
ScilifelabDataCentre · Aug 18, 2022 · c005f18 · c005f18
2 parents efa0cba + 81381fb
commit c005f18
Show file tree

Hide file tree

Showing 6 changed files with 459 additions and 269 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -125,3 +125,7 @@ Please add a _short_ line describing the PR you make, if the PR implements a spe
 - Do not send one time code to email if the email 2fa is getting activated ([#1236](https://github.com/ScilifelabDataCentre/dds_web/pull/1236))
 - Raise AccessDeniedError with message when token specified but user not existent ([#1235](https://github.com/ScilifelabDataCentre/dds_web/pull/1235))
 - Display multiple MOTDS ([#1212](https://github.com/ScilifelabDataCentre/dds_web/pull/1212))
+
+## Sprint (2022-08-18 - 2022-09-02)
+
+- Allow Super Admins to deactivate user 2FA via authenticator app ([#1247](https://github.com/ScilifelabDataCentre/dds_web/pull/1247))
diff --git a/dds_web/api/__init__.py b/dds_web/api/__init__.py
@@ -81,6 +81,9 @@ def output_json(data, code, headers=None):
 api.add_resource(superadmin_only.AllUnits, "/unit/info/all", endpoint="all_units")
 api.add_resource(superadmin_only.MOTD, "/motd", endpoint="motd")
 api.add_resource(superadmin_only.FindUser, "/user/find", endpoint="find_user")
+api.add_resource(
+    superadmin_only.ResetTwoFactor, "/user/totp/deactivate", endpoint="reset_user_hotp"
+)
 
 # Invoicing ############################################################################ Invoicing #
 api.add_resource(user.ShowUsage, "/usage", endpoint="usage")
diff --git a/dds_web/api/superadmin_only.py b/dds_web/api/superadmin_only.py
@@ -152,3 +152,33 @@ def get(self):
         return {
             "exists": models.User.query.filter_by(username=user_to_find).one_or_none() is not None
         }
+
+
+class ResetTwoFactor(flask_restful.Resource):
+    """Deactivate TOTP and activate HOTP for other user, e.g. if phone lost."""
+
+    @auth.login_required(role=["Super Admin"])
+    @logging_bind_request
+    @json_required
+    @handle_db_error
+    def put(self):
+        """Change totp to hotp."""
+        # Check that username is specified
+        username: str = flask.request.json.get("username")
+        if not username:
+            raise ddserr.DDSArgumentError(message="Username required to reset 2FA to HOTP")
+
+        # Verify valid user
+        user: models.User = models.User.query.filter_by(username=username).one_or_none()
+        if not user:
+            raise ddserr.DDSArgumentError(message=f"The user doesn't exist: {username}")
+
+        # TOTP needs to be active in order to deactivate
+        if not user.totp_enabled:
+            raise ddserr.DDSArgumentError(message="TOTP is already deactivated for this user.")
+
+        user.deactivate_totp()
+
+        return {
+            "message": f"TOTP has been deactivated for user: {user.username}. They can now use 2FA via email during authentication."
+        }
diff --git a/tests/__init__.py b/tests/__init__.py
@@ -219,5 +219,6 @@ class DDSEndpoint:
     LIST_UNITS_ALL = BASE_ENDPOINT + "/unit/info/all"
     MOTD = BASE_ENDPOINT + "/motd"
     USER_FIND = BASE_ENDPOINT + "/user/find"
+    TOTP_DEACTIVATE = BASE_ENDPOINT + "/user/totp/deactivate"
 
     TIMEOUT = 5