#168: disable TOTP as admin for a specific user

This commit is contained in:
Benjamin Gamard 2018-11-07 13:42:43 +01:00
parent a75b40bbfb
commit 42828efa19
2 changed files with 59 additions and 4 deletions

View File

@ -489,6 +489,7 @@ public class UserResource extends BaseResource {
* @apiDescription All associated entities will be deleted as well.
* @apiName DeleteUserUsername
* @apiGroup User
* @apiParam {String} username Username
* @apiSuccess {String} status Status OK
* @apiError (client) ForbiddenError Access denied or the user cannot be deleted
* @apiError (client) UserNotFound The user does not exist
@ -556,6 +557,47 @@ public class UserResource extends BaseResource {
return Response.ok().entity(response.build()).build();
}
/**
* Disable time-based one-time password for a specific user.
*
* @api {post} /user/:username/disable_totp Disable TOTP authentication for a specific user
* @apiName PostUserUsernameDisableTotp
* @apiGroup User
* @apiParam {String} username Username
* @apiSuccess {String} status Status OK
* @apiError (client) ForbiddenError Access denied or connected as guest
* @apiError (client) ValidationError Validation error
* @apiPermission user
* @apiVersion 1.5.0
*
* @param username Username
* @return Response
*/
@POST
@Path("{username: [a-zA-Z0-9_]+}/disable_totp")
public Response disableTotpUsername(@PathParam("username") String username) {
if (!authenticate() || principal.isGuest()) {
throw new ForbiddenClientException();
}
checkBaseFunction(BaseFunction.ADMIN);
// Get the user
UserDao userDao = new UserDao();
User user = userDao.getActiveByUsername(username);
if (user == null) {
throw new ForbiddenClientException();
}
// Remove the TOTP key
user.setTotpKey(null);
userDao.update(user, principal.getId());
// Always return OK
JsonObjectBuilder response = Json.createObjectBuilder()
.add("status", "ok");
return Response.ok().entity(response.build()).build();
}
/**
* Returns the information about the connected user.
*
@ -876,9 +918,9 @@ public class UserResource extends BaseResource {
}
/**
* Disable time-based one-time password.
* Disable time-based one-time password for the current user.
*
* @api {post} /user/disable_totp Disable TOTP authentication
* @api {post} /user/disable_totp Disable TOTP authentication for the current user
* @apiName PostUserDisableTotp
* @apiGroup User
* @apiParam {String{1..100}} password Password

View File

@ -323,6 +323,9 @@ public class TestUserResource extends BaseJerseyTest {
@Test
public void testTotp() {
// Login admin
String adminToken = clientUtil.login("admin", "admin", false);
// Create totp1 user
clientUtil.createUser("totp1");
String totp1Token = clientUtil.login("totp1");
@ -374,6 +377,16 @@ public class TestUserResource extends BaseJerseyTest {
.post(Entity.form(new Form()
.param("password", "12345678")), JsonObject.class);
// Enable TOTP for totp1
target().path("/user/enable_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.post(Entity.form(new Form()), JsonObject.class);
// Disable TOTP for totp1 with admin
target().path("/user/totp1/disable_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
.post(Entity.form(new Form()), JsonObject.class);
// Login with totp1 without a validation code
target().path("/user/login").request()
.post(Entity.form(new Form()