NET-1996: Add Support for TOTP Authentication. (#3517)

* feat(git): ignore run configurations; * feat(go): add support for TOTP authentication; * fix(go): api docs; * fix(go): static checks failing; * fix(go): ignore mfa enforcement for user auth; * feat(go): allow resetting mfa; * feat(go): allow resetting mfa; * feat(go): use library function; * fix(go): signature; * feat(go): allow only master user to unset user's mfa; * feat(go): set caller when master to prevent panic; * feat(go): make messages more user friendly; * fix(go): run go mod tidy; * fix(go): optimize imports; * fix(go): return unauthorized on token expiry; * fix(go): move mfa endpoints under username; * fix(go): set is mfa enabled when converting; * feat(go): allow authenticated users to use preauth apis; * feat(go): set correct header value; * feat(go): allow super-admins and admins to unset mfa; * feat(go): allow user to unset mfa if not enforced;
2025-10-05 16:57:51 +08:00 · 2025-06-26 08:29:13 +05:30
parent aca911712b
commit 3551e8e24e
12 changed files with 419 additions and 45 deletions
--- a/logic/auth.go
+++ b/logic/auth.go
@@ -235,22 +235,32 @@ func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
 		return "", errors.New("incorrect credentials")
 	}

-	// Create a new JWT for the node
-	tokenString, err := CreateUserJWT(authRequest.UserName, result.PlatformRoleID)
-	if err != nil {
-		slog.Error("error creating jwt", "error", err)
-		return "", err
-	}
+	if result.IsMFAEnabled {
+		tokenString, err := CreatePreAuthToken(authRequest.UserName)
+		if err != nil {
+			slog.Error("error creating jwt", "error", err)
+			return "", err
+		}

-	// update last login time
-	result.LastLoginTime = time.Now().UTC()
-	err = UpsertUser(result)
-	if err != nil {
-		slog.Error("error upserting user", "error", err)
-		return "", err
-	}
+		return tokenString, nil
+	} else {
+		// Create a new JWT for the node
+		tokenString, err := CreateUserJWT(authRequest.UserName, result.PlatformRoleID)
+		if err != nil {
+			slog.Error("error creating jwt", "error", err)
+			return "", err
+		}

-	return tokenString, nil
+		// update last login time
+		result.LastLoginTime = time.Now().UTC()
+		err = UpsertUser(result)
+		if err != nil {
+			slog.Error("error upserting user", "error", err)
+			return "", err
+		}
+
+		return tokenString, nil
+	}
 }

 // UpsertUser - updates user in the db
@@ -359,6 +369,11 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 		}
 	}

+	user.IsMFAEnabled = userchange.IsMFAEnabled
+	if !user.IsMFAEnabled {
+		user.TOTPSecret = ""
+	}
+
 	user.UserGroups = userchange.UserGroups
 	user.NetworkRoles = userchange.NetworkRoles
 	AddGlobalNetRolesToAdmins(user)