fix: disable totp by default

authorizerdev · Nov 23, 2023 · bd343f0 · bd343f0
1 parent ad8bd64
commit bd343f0
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 78 deletions.
diff --git a/dashboard/src/components/EnvComponents/Features.tsx b/dashboard/src/components/EnvComponents/Features.tsx
@@ -25,7 +25,6 @@ const Features = ({ variables, setVariables }: any) => {
 					</Flex>
 				</Flex>
 
-
 				<Flex>
 					<Flex w="100%" justifyContent="start" alignItems="center">
 						<Text fontSize="sm">Email Verification:</Text>
@@ -109,15 +108,12 @@ const Features = ({ variables, setVariables }: any) => {
 						/>
 					</Flex>
 				</Flex>
-
-				{
-					!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION &&
+				{/** TODO enable after final release */}
+				{/* {!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION && (
 					<Flex alignItems="center">
 						<Flex w="100%" alignItems="baseline" flexDir="column">
 							<Text fontSize="sm">TOTP:</Text>
-							<Text fontSize="x-small">
-								Note: to enable totp mfa
-							</Text>
+							<Text fontSize="x-small">Note: to enable totp mfa</Text>
 						</Flex>
 
 						<Flex justifyContent="start" mb={3}>
@@ -129,25 +125,24 @@ const Features = ({ variables, setVariables }: any) => {
 							/>
 						</Flex>
 					</Flex>
-				}
-				{!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION &&
+				)} */}
+				{!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION && (
 					<Flex alignItems="center">
-					<Flex w="100%" alignItems="baseline" flexDir="column">
-					<Text fontSize="sm">EMAIL OTP:</Text>
-					<Text fontSize="x-small">
-					Note: to enable email otp mfa
-					</Text>
-					</Flex>
+						<Flex w="100%" alignItems="baseline" flexDir="column">
+							<Text fontSize="sm">EMAIL OTP:</Text>
+							<Text fontSize="x-small">Note: to enable email otp mfa</Text>
+						</Flex>
 
-					<Flex justifyContent="start" mb={3}>
-				<InputField
-					variables={variables}
-					setVariables={setVariables}
-					inputType={SwitchInputType.DISABLE_MAIL_OTP_LOGIN}
-					hasReversedValue
-				/>
-			</Flex>
-		</Flex>}
+						<Flex justifyContent="start" mb={3}>
+							<InputField
+								variables={variables}
+								setVariables={setVariables}
+								inputType={SwitchInputType.DISABLE_MAIL_OTP_LOGIN}
+								hasReversedValue
+							/>
+						</Flex>
+					</Flex>
+				)}
 
 				<Flex alignItems="center">
 					<Flex w="100%" alignItems="baseline" flexDir="column">

diff --git a/server/env/env.go b/server/env/env.go
@@ -834,9 +834,10 @@ func InitAllEnv() error {
 			envData[constants.EnvKeyDisablePlayGround] = boolValue
 		}
 	}
-
+	// TODO: remove after beta launch
+	envData[constants.EnvKeyDisableTOTPLogin] = true
 	if _, ok := envData[constants.EnvKeyDisableTOTPLogin]; !ok {
-		envData[constants.EnvKeyDisableTOTPLogin] = osDisableTOTPLogin == "false"
+		envData[constants.EnvKeyDisableTOTPLogin] = osDisableTOTPLogin == "true"
 	}
 	if osDisableTOTPLogin != "" {
 		boolValue, err := strconv.ParseBool(osDisableTOTPLogin)
@@ -847,6 +848,7 @@ func InitAllEnv() error {
 			envData[constants.EnvKeyDisableTOTPLogin] = boolValue
 		}
 	}
+	fmt.Println("=> final value", envData[constants.EnvKeyDisableTOTPLogin])
 
 	if _, ok := envData[constants.EnvKeyDisableMailOTPLogin]; !ok {
 		envData[constants.EnvKeyDisableMailOTPLogin] = osDisableMailOTPLogin == "true"

diff --git a/server/resolvers/login.go b/server/resolvers/login.go
@@ -182,45 +182,6 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		}
 		return otpData, nil
 	}
-	// If mfa enabled and also totp enabled
-	// first priority is given to totp
-	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isTOTPLoginDisabled {
-		expiresAt := time.Now().Add(3 * time.Minute).Unix()
-		if err := setOTPMFaSession(expiresAt); err != nil {
-			log.Debug("Failed to set mfa session: ", err)
-			return nil, err
-		}
-		authenticator, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, user.ID, constants.EnvKeyTOTPAuthenticator)
-		// Check if it's the first time user or if their TOTP is not verified
-		if err != nil || ((authenticator == nil) || (authenticator != nil && authenticator.VerifiedAt == nil)) {
-			// Generate a base64 URL and initiate the registration for TOTP
-			authConfig, err := authenticators.Provider.Generate(ctx, user.ID)
-			if err != nil {
-				log.Debug("error while generating base64 url: ", err)
-				return nil, err
-			}
-			recoveryCodes := []*string{}
-			for _, code := range authConfig.RecoveryCodes {
-				recoveryCodes = append(recoveryCodes, refs.NewStringRef(code))
-			}
-			// when user is first time registering for totp
-			res = &model.AuthResponse{
-				Message:                    `Proceed to totp verification screen`,
-				ShouldShowTotpScreen:       refs.NewBoolRef(true),
-				AuthenticatorScannerImage:  refs.NewStringRef(authConfig.ScannerImage),
-				AuthenticatorSecret:        refs.NewStringRef(authConfig.Secret),
-				AuthenticatorRecoveryCodes: recoveryCodes,
-			}
-			return res, nil
-		} else {
-			//when user is already register for totp
-			res = &model.AuthResponse{
-				Message:              `Proceed to totp screen`,
-				ShouldShowTotpScreen: refs.NewBoolRef(true),
-			}
-			return res, nil
-		}
-	}
 	// If multi factor authentication is enabled and is email based login and email otp is enabled
 	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isMailOTPDisabled && isEmailServiceEnabled && isEmailLogin {
 		expiresAt := time.Now().Add(1 * time.Minute).Unix()
@@ -275,6 +236,44 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 			ShouldShowMobileOtpScreen: refs.NewBoolRef(isMobileLogin),
 		}, nil
 	}
+	// If mfa enabled and also totp enabled
+	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isTOTPLoginDisabled {
+		expiresAt := time.Now().Add(3 * time.Minute).Unix()
+		if err := setOTPMFaSession(expiresAt); err != nil {
+			log.Debug("Failed to set mfa session: ", err)
+			return nil, err
+		}
+		authenticator, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, user.ID, constants.EnvKeyTOTPAuthenticator)
+		// Check if it's the first time user or if their TOTP is not verified
+		if err != nil || ((authenticator == nil) || (authenticator != nil && authenticator.VerifiedAt == nil)) {
+			// Generate a base64 URL and initiate the registration for TOTP
+			authConfig, err := authenticators.Provider.Generate(ctx, user.ID)
+			if err != nil {
+				log.Debug("error while generating base64 url: ", err)
+				return nil, err
+			}
+			recoveryCodes := []*string{}
+			for _, code := range authConfig.RecoveryCodes {
+				recoveryCodes = append(recoveryCodes, refs.NewStringRef(code))
+			}
+			// when user is first time registering for totp
+			res = &model.AuthResponse{
+				Message:                    `Proceed to totp verification screen`,
+				ShouldShowTotpScreen:       refs.NewBoolRef(true),
+				AuthenticatorScannerImage:  refs.NewStringRef(authConfig.ScannerImage),
+				AuthenticatorSecret:        refs.NewStringRef(authConfig.Secret),
+				AuthenticatorRecoveryCodes: recoveryCodes,
+			}
+			return res, nil
+		} else {
+			//when user is already register for totp
+			res = &model.AuthResponse{
+				Message:              `Proceed to totp screen`,
+				ShouldShowTotpScreen: refs.NewBoolRef(true),
+			}
+			return res, nil
+		}
+	}
 
 	code := ""
 	codeChallenge := ""

diff --git a/server/resolvers/update_env.go b/server/resolvers/update_env.go
@@ -261,7 +261,6 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		}
 		if !updatedData[constants.EnvKeyDisableMagicLinkLogin].(bool) {
 			updatedData[constants.EnvKeyDisableMailOTPLogin] = true
-			updatedData[constants.EnvKeyDisableTOTPLogin] = false
 		}
 	}
 
@@ -276,19 +275,8 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		}
 	}
 
-	if updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {
-		updatedData[constants.EnvKeyDisableTOTPLogin] = true
+	if updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyIsEmailServiceEnabled].(bool) {
 		updatedData[constants.EnvKeyDisableMailOTPLogin] = true
-	} else {
-		if !updatedData[constants.EnvKeyDisableMailOTPLogin].(bool) && !updatedData[constants.EnvKeyDisableTOTPLogin].(bool) {
-			errors.New("can't enable both mfa methods at same time")
-			updatedData[constants.EnvKeyDisableMailOTPLogin] = true
-			updatedData[constants.EnvKeyDisableTOTPLogin] = false
-		} else if updatedData[constants.EnvKeyDisableMailOTPLogin].(bool) && updatedData[constants.EnvKeyDisableTOTPLogin].(bool) {
-			errors.New("can't disable both mfa methods at same time")
-			updatedData[constants.EnvKeyDisableMailOTPLogin] = true
-			updatedData[constants.EnvKeyDisableTOTPLogin] = false
-		}
 	}
 
 	if !currentData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && !updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {