Adding resetMFA for users/subs.

2025-10-29 18:02:29 +00:00 · 2022-05-05 09:15:09 -07:00
parent d69e773263
commit c19ce8a92c
4 changed files with 66 additions and 8 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-46
+47
--- a/openpapi/owsec.yaml
+++ b/openpapi/owsec.yaml
@@ -1117,6 +1117,12 @@ paths:
            type: boolean
            default: false
          required: false
+        - in: query
+          name: resetMFA
+          schema:
+            type: boolean
+            default: false
+          required: false
      requestBody:
        description: User details (some fields are ignored during update)
        content:
@@ -1227,6 +1233,12 @@ paths:
            type: boolean
            default: false
          required: false
+        - in: query
+          name: resetMFA
+          schema:
+            type: boolean
+            default: false
+          required: false
      requestBody:
        description: User details (some fields are ignored during update)
        content:
--- a/src/RESTAPI/RESTAPI_subuser_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subuser_handler.cpp
@@ -148,8 +148,31 @@ namespace OpenWifi {
            return UnAuthorized("Insufficient access rights.", ACCESS_DENIED);
        }

-        auto forgotPassword= GetBoolParameter("forgotPassword");
-        if(forgotPassword) {
+        if(GetBoolParameter("resetMFA")) {
+            if( (UserInfo_.userinfo.userRole == SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole!=SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.id == Id)) {
+                Existing.userTypeProprietaryInfo.mfa.enabled = false;
+                Existing.userTypeProprietaryInfo.mfa.method.clear();
+                Existing.userTypeProprietaryInfo.mobiles.clear();
+                Existing.modified = OpenWifi::Now();
+                Existing.notes.push_back( SecurityObjects::NoteInfo{
+                        .created=OpenWifi::Now(),
+                        .createdBy=UserInfo_.userinfo.email,
+                        .note="MFA Reset by " + UserInfo_.userinfo.email});
+                StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing);
+                SecurityObjects::UserInfo   NewUserInfo;
+                StorageService()->SubDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo);
+                Poco::JSON::Object  ModifiedObject;
+                Sanitize(UserInfo_, NewUserInfo);
+                NewUserInfo.to_json(ModifiedObject);
+                return ReturnObject(ModifiedObject);
+            } else {
+                return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
+            }
+        }
+
+        if(GetBoolParameter("forgotPassword")) {
            Existing.changePassword = true;
            Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), Existing.email));

--- a/src/RESTAPI/RESTAPI_user_handler.cpp
+++ b/src/RESTAPI/RESTAPI_user_handler.cpp
@@ -121,7 +121,7 @@ namespace OpenWifi {
            return BadRequest(RESTAPI::Errors::RecordNotCreated);
        }

-        if(GetParameter("email_verification","false")=="true") {
+        if(GetBoolParameter("email_verification")) {
            if(AuthService::VerifyEmail(NewUser))
                Logger_.information(fmt::format("Verification e-mail requested for {}",NewUser.email));
            StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,NewUser.id,NewUser);
@@ -151,11 +151,34 @@ namespace OpenWifi {
        }

        if(!ACLProcessor::Can(UserInfo_.userinfo,Existing,ACLProcessor::MODIFY)) {
-            return UnAuthorized("Insufficient access rights.", ACCESS_DENIED);
+            return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
        }

-        auto forgotPassword= GetBoolParameter("forgotPassword");
-        if(forgotPassword) {
+        if(GetBoolParameter("resetMFA")) {
+            if( (UserInfo_.userinfo.userRole == SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole!=SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.id == Id)) {
+                Existing.userTypeProprietaryInfo.mfa.enabled = false;
+                Existing.userTypeProprietaryInfo.mfa.method.clear();
+                Existing.userTypeProprietaryInfo.mobiles.clear();
+                Existing.modified = OpenWifi::Now();
+                Existing.notes.push_back( SecurityObjects::NoteInfo{
+                            .created=OpenWifi::Now(),
+                            .createdBy=UserInfo_.userinfo.email,
+                            .note="MFA Reset by " + UserInfo_.userinfo.email});
+                StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing);
+                SecurityObjects::UserInfo   NewUserInfo;
+                StorageService()->UserDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo);
+                Poco::JSON::Object  ModifiedObject;
+                Sanitize(UserInfo_, NewUserInfo);
+                NewUserInfo.to_json(ModifiedObject);
+                return ReturnObject(ModifiedObject);
+            } else {
+                return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED);
+            }
+        }
+
+        if(GetBoolParameter("forgotPassword")) {
            Existing.changePassword = true;
            Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), Existing.email));
            SecurityObjects::ActionLink NewLink;
@@ -226,7 +249,7 @@ namespace OpenWifi {
            }
        }

-        if(GetParameter("email_verification","false")=="true") {
+        if(GetBoolParameter("email_verification")) {
            if(AuthService::VerifyEmail(Existing))
                Logger_.information(fmt::format("Verification e-mail requested for {}",Existing.email));
        }