Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(users): Create terminate 2fa API #4731

Merged
merged 8 commits into from
May 23, 2024
Merged

feat(users): Create terminate 2fa API #4731

merged 8 commits into from
May 23, 2024

Conversation

Riddhiagrawal001
Copy link
Contributor

@Riddhiagrawal001 Riddhiagrawal001 commented May 22, 2024
edited by racnan
Loading

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

Currently completion of 2fa and setting the status of the 2fa status as "SET" is handled by verify_totp API. We want to remove this from verify_totp, so this PR creates a new API to terminate the 2fa flow.

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

This will close the issue #4730

How did you test it?

This can only be tested locally as it requires some changes in the redis.

  1. terminate 2fa without skip_two_factor_auth query param
    a. If the keys with TOTP_{user_id} or RC_{user_id} is not present in redis
    Request
curl --location 'http://localhost:8080/user/2fa/terminate' \
--header 'Authorization: Bearer SPT with purpose as TOTP'

Response

{
    "error": {
        "type": "invalid_request",
        "message": "Two factor auth required",
        "code": "UR_39"
    }
}

b. Add the keys to the redis with prefix as TOTP_{user_id} or RC_{user_id}

Request

curl --location 'http://localhost:8080/user/2fa/terminate' \
--header 'Authorization: Bearer SPT with purpose as TOTP'

Response
This will also set the totp_status for the user as "set"

{
    "token": "Bearer token",
    "token_type": "next flow token type"
}
  1. terminate 2fa with skip_two_factor_auth query param
    a. skip_two_factor_auth=true
    Irrespective if the keys are present in redis or not if skip_two_factor_auth is sent as true it will not change the status and will give the token and token_type for the next flow
    Request
curl --location 'http://localhost:8080/user/2fa/terminate?skip_two_factor_auth=true' \
--header 'Authorization: Bearer SPT with purpose as TOTP'

Response

{
    "token": "Bearer token",
    "token_type": "next flow token type"
}

b. skip_two_factor_auth=false
Request

curl --location 'http://localhost:8080/user/2fa/terminate?skip_two_factor_auth=false' \
--header 'Authorization: Bearer SPT with purpose as TOTP'

Response
This will also set the totp_status for the user as "set"

{
    "token": "Bearer token",
    "token_type": "next flow token type"
}

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@Riddhiagrawal001 Riddhiagrawal001 added the A-users Area: Users label May 22, 2024
@Riddhiagrawal001 Riddhiagrawal001 self-assigned this May 22, 2024
@Riddhiagrawal001 Riddhiagrawal001 requested review from a team as code owners May 22, 2024 12:38
ThisIsMani
ThisIsMani reviewed May 22, 2024
View reviewed changes
crates/router/src/core/user.rs Outdated
if !(check_totp_in_redis(&state, &user_token.user_id).await?
|| check_access_code_in_redis(&state, &user_token.user_id).await?)
{
return Err(UserErrors::TotpRequired.into());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a new error 2FARequired.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New error added

crates/router/src/core/user.rs Outdated
.change_context(UserErrors::InternalServerError)?
.into();

if skip_2fa.is_none() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be !skip_2fa.unwrap_or(false).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed

crates/router/src/core/user.rs Outdated
Comment on lines 1785 to 1786
if !(check_totp_in_redis(&state, &user_token.user_id).await?
|| check_access_code_in_redis(&state, &user_token.user_id).await?)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if !(check_totp_in_redis(&state, &user_token.user_id).await?
|| check_access_code_in_redis(&state, &user_token.user_id).await?)
if !check_totp_in_redis(&state, &user_token.user_id).await?
&& !check_access_code_in_redis(&state, &user_token.user_id).await?

This is more readable imo.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed

@Riddhiagrawal001 Riddhiagrawal001 added the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label May 23, 2024
@ThisIsMani ThisIsMani linked an issue May 23, 2024 that may be closed by this pull request
refactor: Separate out totp completion from verify #4730
Closed
@ThisIsMani ThisIsMani changed the title feat(users):Create terminate 2fa API feat(users): Create terminate 2fa API May 23, 2024
ThisIsMani
ThisIsMani previously approved these changes May 23, 2024
View reviewed changes
ThisIsMani
ThisIsMani previously approved these changes May 23, 2024
View reviewed changes
apoorvdixit88
apoorvdixit88 previously approved these changes May 23, 2024
View reviewed changes
racnan
racnan reviewed May 23, 2024
View reviewed changes
crates/router/src/core/user.rs Outdated
pub async fn terminate_two_factor_auth(
state: AppState,
user_token: auth::UserFromSinglePurposeToken,
skip_two_factor_auth: Option<bool>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use the parent route function to resolve the option.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed

@Riddhiagrawal001 Riddhiagrawal001 dismissed stale reviews from apoorvdixit88 and ThisIsMani via 36a14b4 May 23, 2024 10:46
@preetamrevankar preetamrevankar added this pull request to the merge queue May 23, 2024
Merged via the queue into main with commit 42e5ef1 May 23, 2024
10 checks passed
@preetamrevankar preetamrevankar deleted the terminate-2fa-api branch May 23, 2024 12:15
@SanchithHegde SanchithHegde removed the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThisIsMani ThisIsMani ThisIsMani approved these changes

@racnan racnan racnan approved these changes

@apoorvdixit88 apoorvdixit88 apoorvdixit88 approved these changes

Assignees

@Riddhiagrawal001 Riddhiagrawal001

Labels
A-users Area: Users
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

refactor: Separate out totp completion from verify
6 participants
@Riddhiagrawal001 @apoorvdixit88 @racnan @ThisIsMani @SanchithHegde @preetamrevankar