Allow admins to delete a specific MFA method for a user (#2012)

Author: jakub-tldr

crates/defguard_core/src/handlers/auth.rs

@@ -675,8 +675,9 @@ pub async fn totp_disable(
     session: SessionInfo,
     context: ApiRequestContext,
     State(appstate): State<AppState>,
+    username: Path<String>,
 ) -> ApiResult {
-    let mut user = session.user;
+    let mut user = user_for_admin_or_self(&appstate.pool, &session, &username).await?;
     debug!("Disabling TOTP for user {}", user.username);
     user.disable_totp(&appstate.pool).await?;
     user.verify_mfa_state(&appstate.pool).await?;
@@ -840,8 +841,9 @@ pub async fn email_mfa_disable(
     session: SessionInfo,
     context: ApiRequestContext,
     State(appstate): State<AppState>,
+    username: Path<String>,
 ) -> ApiResult {
-    let mut user = session.user;
+    let mut user = user_for_admin_or_self(&appstate.pool, &session, &username).await?;
     debug!("Disabling email MFA for user {}", user.username);
     user.disable_email_mfa(&appstate.pool).await?;
     user.verify_mfa_state(&appstate.pool).await?;

crates/defguard_core/src/lib.rs

@@ -244,14 +244,12 @@ pub fn build_webapp(
             .route("/auth/webauthn/start", post(webauthn_start))
             .route("/auth/webauthn", post(webauthn_end))
             .route("/auth/totp/init", post(totp_secret))
-            .route("/auth/totp", post(totp_enable).delete(totp_disable))
+            .route("/auth/totp", post(totp_enable))
             .route("/auth/totp/verify", post(totp_code))
             .route("/auth/email/init", post(email_mfa_init))
             .route(
                 "/auth/email",
-                get(request_email_mfa_code)
-                    .post(email_mfa_enable)
-                    .delete(email_mfa_disable),
+                get(request_email_mfa_code).post(email_mfa_enable),
             )
             .route("/auth/email/verify", post(email_mfa_code))
             .route("/auth/recovery", post(recovery_code))
@@ -269,6 +267,9 @@ pub fn build_webapp(
             .route("/user/change_password", put(change_self_password))
             .route("/user/{username}/password", put(change_password))
             .route("/user/{username}/reset_password", post(reset_password))
+            // disable mfa
+            .route("/user/{username}/email", delete(email_mfa_disable))
+            .route("/user/{username}/totp", delete(totp_disable))
             // auth keys
             .route(
                 "/user/{username}/auth_key",

web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx

@@ -78,12 +78,12 @@ export const ProfileAuthCard = () => {
   });
 
   const { mutate: mutateDisableEmailMfa } = useMutation({
-    mutationFn: api.auth.mfa.email.disable,
+    mutationFn: api.user.mfa.email.disable,
     meta: invalidateAfterMfaChange,
   });
 
   const { mutate: mutateDisableTotp } = useMutation({
-    mutationFn: api.auth.mfa.totp.disable,
+    mutationFn: api.user.mfa.totp.disable,
     meta: invalidateAfterMfaChange,
   });
 
@@ -99,7 +99,6 @@ export const ProfileAuthCard = () => {
     },
     meta: invalidateAfterMfaChange,
   });
-
   const emailMenuItems = useMemo(() => {
     const items: MenuItemProps[] = [];
     if (!user.email_mfa_enabled) {
@@ -121,7 +120,7 @@ export const ProfileAuthCard = () => {
       items.push({
         text: m.controls_disable(),
         icon: 'minus-circle',
-        onClick: () => mutateDisableEmailMfa(),
+        onClick: () => mutateDisableEmailMfa(user.username),
       });
     }
     const res: MenuItemsGroup = {
@@ -133,6 +132,7 @@ export const ProfileAuthCard = () => {
     mutateDisableEmailMfa,
     mutateSetDefaultMfa,
     user.mfa_method,
+    user.username,
   ]);
 
   const mfaMenuItems = useMemo(() => {
@@ -227,16 +227,20 @@ export const ProfileAuthCard = () => {
       items.push({
         icon: 'minus-circle',
         text: m.controls_disable(),
-        onClick: () => {
-          mutateDisableTotp();
-        },
+        onClick: () => mutateDisableTotp(user.username),
       });
     }
 
     return {
       items,
     };
-  }, [mutateDisableTotp, user.totp_enabled, mutateSetDefaultMfa, user.mfa_method]);
+  }, [
+    mutateDisableTotp,
+    user.totp_enabled,
+    mutateSetDefaultMfa,
+    user.mfa_method,
+    user.username,
+  ]);
 
   return (
     <ProfileCard id="profile-auth-card">

web/src/shared/api/api.ts

@@ -203,6 +203,14 @@ const api = {
       });
     },
     deleteUser: (username: string) => client.delete(`/user/${username}`),
+    mfa: {
+      totp: {
+        disable: (username: string) => client.delete(`/user/${username}/totp`),
+      },
+      email: {
+        disable: (username: string) => client.delete(`/user/${username}/email`),
+      },
+    },
   },
   webhook: {
     addWebhook: (data: AddWebhookRequest) => client.post('/webhook', data),
@@ -233,15 +241,13 @@ const api = {
           client.post<MfaCompleteResponse>('/auth/totp/verify', {
             code,
           }),
-        disable: () => client.delete('/auth/totp'),
       },
       email: {
         init: () => client.post('/auth/email/init'),
         enable: (code: string) =>
           client.post<EnableMfaMethodResponse>('/auth/email', {
             code,
           }),
-        disable: () => client.delete('/auth/email'),
         resend: () => client.get('/auth/email'),
         verify: (code: string) =>
           client.post<MfaCompleteResponse>('/auth/email/verify', { code }),