diff --git a/build b/build index abc4eff..801f180 100644 --- a/build +++ b/build @@ -1 +1 @@ -46 \ No newline at end of file +47 \ No newline at end of file diff --git a/openpapi/owsec.yaml b/openpapi/owsec.yaml index 6467261..04e7621 100644 --- a/openpapi/owsec.yaml +++ b/openpapi/owsec.yaml @@ -1117,6 +1117,12 @@ paths: type: boolean default: false required: false + - in: query + name: resetMFA + schema: + type: boolean + default: false + required: false requestBody: description: User details (some fields are ignored during update) content: @@ -1227,6 +1233,12 @@ paths: type: boolean default: false required: false + - in: query + name: resetMFA + schema: + type: boolean + default: false + required: false requestBody: description: User details (some fields are ignored during update) content: diff --git a/src/RESTAPI/RESTAPI_subuser_handler.cpp b/src/RESTAPI/RESTAPI_subuser_handler.cpp index fa72f78..d9fb001 100644 --- a/src/RESTAPI/RESTAPI_subuser_handler.cpp +++ b/src/RESTAPI/RESTAPI_subuser_handler.cpp @@ -148,8 +148,31 @@ namespace OpenWifi { return UnAuthorized("Insufficient access rights.", ACCESS_DENIED); } - auto forgotPassword= GetBoolParameter("forgotPassword"); - if(forgotPassword) { + if(GetBoolParameter("resetMFA")) { + if( (UserInfo_.userinfo.userRole == SecurityObjects::ROOT) || + (UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole!=SecurityObjects::ROOT) || + (UserInfo_.userinfo.id == Id)) { + Existing.userTypeProprietaryInfo.mfa.enabled = false; + Existing.userTypeProprietaryInfo.mfa.method.clear(); + Existing.userTypeProprietaryInfo.mobiles.clear(); + Existing.modified = OpenWifi::Now(); + Existing.notes.push_back( SecurityObjects::NoteInfo{ + .created=OpenWifi::Now(), + .createdBy=UserInfo_.userinfo.email, + .note="MFA Reset by " + UserInfo_.userinfo.email}); + StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing); + SecurityObjects::UserInfo NewUserInfo; + StorageService()->SubDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo); + Poco::JSON::Object ModifiedObject; + Sanitize(UserInfo_, NewUserInfo); + NewUserInfo.to_json(ModifiedObject); + return ReturnObject(ModifiedObject); + } else { + return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED); + } + } + + if(GetBoolParameter("forgotPassword")) { Existing.changePassword = true; Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), Existing.email)); diff --git a/src/RESTAPI/RESTAPI_user_handler.cpp b/src/RESTAPI/RESTAPI_user_handler.cpp index a1a8742..a0391b0 100644 --- a/src/RESTAPI/RESTAPI_user_handler.cpp +++ b/src/RESTAPI/RESTAPI_user_handler.cpp @@ -121,7 +121,7 @@ namespace OpenWifi { return BadRequest(RESTAPI::Errors::RecordNotCreated); } - if(GetParameter("email_verification","false")=="true") { + if(GetBoolParameter("email_verification")) { if(AuthService::VerifyEmail(NewUser)) Logger_.information(fmt::format("Verification e-mail requested for {}",NewUser.email)); StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,NewUser.id,NewUser); @@ -151,11 +151,34 @@ namespace OpenWifi { } if(!ACLProcessor::Can(UserInfo_.userinfo,Existing,ACLProcessor::MODIFY)) { - return UnAuthorized("Insufficient access rights.", ACCESS_DENIED); + return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED); } - auto forgotPassword= GetBoolParameter("forgotPassword"); - if(forgotPassword) { + if(GetBoolParameter("resetMFA")) { + if( (UserInfo_.userinfo.userRole == SecurityObjects::ROOT) || + (UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole!=SecurityObjects::ROOT) || + (UserInfo_.userinfo.id == Id)) { + Existing.userTypeProprietaryInfo.mfa.enabled = false; + Existing.userTypeProprietaryInfo.mfa.method.clear(); + Existing.userTypeProprietaryInfo.mobiles.clear(); + Existing.modified = OpenWifi::Now(); + Existing.notes.push_back( SecurityObjects::NoteInfo{ + .created=OpenWifi::Now(), + .createdBy=UserInfo_.userinfo.email, + .note="MFA Reset by " + UserInfo_.userinfo.email}); + StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing); + SecurityObjects::UserInfo NewUserInfo; + StorageService()->UserDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo); + Poco::JSON::Object ModifiedObject; + Sanitize(UserInfo_, NewUserInfo); + NewUserInfo.to_json(ModifiedObject); + return ReturnObject(ModifiedObject); + } else { + return UnAuthorized(RESTAPI::Errors::InsufficientAccessRights, ACCESS_DENIED); + } + } + + if(GetBoolParameter("forgotPassword")) { Existing.changePassword = true; Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), Existing.email)); SecurityObjects::ActionLink NewLink; @@ -226,7 +249,7 @@ namespace OpenWifi { } } - if(GetParameter("email_verification","false")=="true") { + if(GetBoolParameter("email_verification")) { if(AuthService::VerifyEmail(Existing)) Logger_.information(fmt::format("Verification e-mail requested for {}",Existing.email)); }