Add the "has_otp" attribute to the user type

9b8e1392 · ale · d5aabe73 · 9b8e1392 · 9b8e1392 · 9b8e1392
Commit 9b8e1392 authored Aug 17, 2018 by ale
--- a/actions.go
+++ b/actions.go
@@ -177,6 +177,8 @@ type PasswordRecoveryResponse struct {
 // RecoverPassword lets users reset their password by providing
 // secondary credentials, which we authenticate ourselves.
 //
+// Two-factor authentication is disabled on successful recovery.
+//
 // TODO: call out to auth-server for secondary authentication?
 func (s *AccountService) RecoverPassword(ctx context.Context, tx TX, req *PasswordRecoveryRequest) (*PasswordRecoveryResponse, error) {
 	user, err := getUserOrDie(ctx, tx, req.Username)
@@ -208,6 +210,7 @@ func (s *AccountService) RecoverPassword(ctx context.Context, tx TX, req *Passwo
 		if err := s.changeUserPasswordAndUpdateEncryptionKeys(ctx, tx, user, req.RecoveryPassword, req.Password); err != nil {
 			return err
 		}
+
 		// Disable 2FA.
 		return s.disable2FA(ctx, tx, user)
 	})

--- a/backend/model.go
+++ b/backend/model.go
@@ -128,12 +128,11 @@ func newUser(entry *ldap.Entry) (*accountserver.User, error) {
 		UID:                  uidNumber,
 		PasswordRecoveryHint: entry.GetAttributeValue(recoveryHintLDAPAttr),
 		U2FRegistrations:     decodeU2FRegistrations(entry.GetAttributeValues(u2fRegistrationsLDAPAttr)),
+		HasOTP:               entry.GetAttributeValue(totpSecretLDAPAttr) != "",
 	}

 	// The user has 2FA enabled if it has a TOTP secret or U2F keys.
-	if (entry.GetAttributeValue(totpSecretLDAPAttr) != "") || (len(user.U2FRegistrations) > 0) {
-		user.Has2FA = true
-	}
+	user.Has2FA = (user.HasOTP || (len(user.U2FRegistrations) > 0))

 	if user.Lang == "" {
 		user.Lang = "en"

--- a/types.go
+++ b/types.go
@@ -30,13 +30,23 @@ type User struct {
 	// UNIX user id.
 	UID int `json:"uid"`

-	Has2FA               bool   `json:"has_2fa"`
-	HasEncryptionKeys    bool   `json:"has_encryption_keys"`
+	// Has2FA is true if the user has a second-factor authentication
+	// mechanism properly set up. In practice, this is the case if either
+	// HasOTP is true, or len(U2FRegistrations) > 0.
+	Has2FA bool `json:"has_2fa"`
+
+	// HasOTP is true if TOTP is set up.
+	HasOTP bool `json:"has_otp"`
+
+	// HasEncryptionKeys is true if encryption keys are properly set up for
+	// this user.  TODO: consider disabling it.
+	HasEncryptionKeys bool `json:"has_encryption_keys"`
+
 	PasswordRecoveryHint string `json:"password_recovery_hint"`

 	AppSpecificPasswords []*AppSpecificPasswordInfo `json:"app_specific_passwords,omitempty"`

-	U2FRegistrations []*u2f.Registration `json:"u2f_registrations"`
+	U2FRegistrations []*u2f.Registration `json:"u2f_registrations,omitempty"`

 	Resources []*Resource `json:"resources,omitempty"`
 }