Add possibility to remove mfa

2025-10-05 12:20:10 +00:00 · 2025-02-06 16:47:56 +00:00
parent 6228a54ecf
commit 0bfd2f901d
9 changed files with 168 additions and 57 deletions
--- a/backend/internal/mfa.js
+++ b/backend/internal/mfa.js
@@ -1,5 +1,5 @@
 const authModel = require('../models/auth');
-const error     = require('../lib/error');
+const error = require('../lib/error');
 const speakeasy = require('speakeasy');

 module.exports = {
@@ -13,10 +13,10 @@ module.exports = {
 					throw new error.AuthError('MFA is not enabled for this user.');
 				}
 				const verified = speakeasy.totp.verify({
-					secret:   auth.mfa_secret,
+					secret: auth.mfa_secret,
 					encoding: 'base32',
-					token:    token,
-					window:   2
+					token: token,
+					window: 2
 				});
 				if (!verified) {
 					throw new error.AuthError('Invalid MFA token.');
@@ -58,10 +58,10 @@ module.exports = {
 					throw new error.AuthError('MFA is not set up for this user.');
 				}
 				const verified = speakeasy.totp.verify({
-					secret:   auth.mfa_secret,
+					secret: auth.mfa_secret,
 					encoding: 'base32',
-					token:    token,
-					window:   2
+					token: token,
+					window: 2
 				});
 				if (!verified) {
 					throw new error.AuthError('Invalid MFA token.');
@@ -73,4 +73,25 @@ module.exports = {
 					.then(() => true);
 			});
 	},
+	disableMfaForUser: (data, userId) => {
+		return authModel
+			.query()
+			.where('user_id', userId)
+			.first()
+			.then((auth) => {
+				if (!auth) {
+					throw new error.AuthError('User not found.');
+				}
+				return auth.verifyPassword(data.secret)
+					.then((valid) => {
+						if (!valid) {
+							throw new error.AuthError('Invalid password.');
+						}
+						return authModel
+							.query()
+							.where('user_id', userId)
+							.update({ mfa_enabled: false, mfa_secret: null });
+					});
+			});
+	},
 };