feat: add MFA support (disabled by default) #736

…dd_enable_add_disable

…dd_db_changes

…into j0_add_enable_add_disable

…se/gotrue into j0_add_enable_add_disable

…ase/gotrue into j0_generate_recovery_codes

Add DB changes

Add Enable and Disable toggles

Generate Recovery Codes

Add Enroll endpoint

Add Challenge Factor

Add Verify endpoint

MFA fixes

On a not-so-good laptop, a full test run went from ~90seconds to less than 10. Three independent changes were made: 1 - In TruncateAll, use `delete from` instead of `truncate`. While truncate is faster for large tables, for small tables, it has considerably more overhead (my understanding is that delete just flags the tuple as dead, whereas truncate involves a vacuum-like operation). 2 - In tests, use bcrypt.MinCost instead of bcrypt.DefaultCost 3 - Use a 10 millisecond timeout, instead of 1 second timeout, for TestHookTimeout

This reverts commit c65c136.

Strip out Enable/Disable

…observed" This reverts commit 5374da8.

Refactor MFA Routes

Add MFA Unenroll endpoint

…n_delete_endpoints

Completely Remove notion of MFAEnabled

Admin Delete and Get endpoints

refactor: remove /recovery_codes endpoint

Minor MFA fixes

feat: add update factor admin endpoint

Remove created_at field

Reintroduce notion of MFAEnabled

* feat: add session fields * fix: handle terr * fix: change column name Co-authored-by: joel@joellee.org <joel@joellee.org>

* test: check for unverified case * refactor: move constants into models layer * chore: test semantic release * chore: update comment Co-authored-by: joel@joellee.org <joel@joellee.org>

* initial commit * chore:add qrcodesize param * refactor: strip our QRCodeSize, undo session changes Co-authored-by: joel@joellee.org <joel@joellee.org>

* refactor: cherry pick onto separate branch * fix: update recovery code files * feat: cherry-pick partial changes from stepup login branch * Update models/recovery_code.go Co-authored-by: joel@joellee.org <joel@joellee.org>

…equirement

* refactor: `TruncateAll` for better readability (#650) * Remove unused GenerateEmailOtp function (#655) * Remove unused function * chore: remove helper function * Update crypto.go * refactor: configuration with validation (#648) * feat: use proper ip address (#649) * refactor: add `GrantParams` for issuing refresh tokens (#659) * fix: remove instance.go Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com> Co-authored-by: joel@joellee.org <joel@joellee.org>

…thentication check

…unenrolled

…enge

* refactor enroll * fix: omit user, user_id & empty friendly_name from response

* fix: remove belongs to association on factor * fix: extract issueRefreshToken logic for MFA * test:reinstate tests * fix: revert changes which introduce updateMFASessionAndClaims * Revert "fix: remove belongs to association on factor" This reverts commit 10057f7. Co-authored-by: joel@joellee.org <joel@joellee.org>

* fix: remove belongs to association on factor * fix: extract issueRefreshToken logic for MFA * test:reinstate tests * fix: revert changes which introduce updateMFASessionAndClaims * Revert "fix: remove belongs to association on factor" This reverts commit 10057f7. * fix: resolve staticcheck errors, remove unused code Co-authored-by: joel@joellee.org <joel@joellee.org>

* fix: add rate limiters * chore: add conf * chore: run gofmt * fix: add max enrolled factors * refactor: remove requireAuthentication * fix: merge challenge and verify rate limits Co-authored-by: joel@joellee.org <joel@joellee.org>

* fix: remove belongs to association on factor * fix: extract issueRefreshToken logic for MFA * refactor: lowercase totp and rename totp_secret to secret to be more generic * refactor: remove disabled state * refactor: rename err -> terr * Revert "refactor: remove disabled state" This reverts commit bce773d. * Revert "refactor: lowercase totp and rename totp_secret to secret to be more generic" This reverts commit 2b6920f. * Revert "fix: extract issueRefreshToken logic for MFA" This reverts commit 2dbd47c. * Revert "fix: remove belongs to association on factor" This reverts commit 10057f7. Co-authored-by: joel@joellee.org <joel@joellee.org>

* patch: merge master into v1 * chore: run gofmt * refactor: rename TOTPSecret->Secret * fix: adjust application code to align with db schema Co-authored-by: joel@joellee.org <joel@joellee.org>

Co-authored-by: joel@joellee.org <joel@joellee.org>

* inital fixes * Update api/mfa.go * fix: rename FactorStates Co-authored-by: joel@joellee.org <joel@joellee.org>

* refactor: change json.NewDecoder -> getBodyBytes * refactor: update admin to use getBodyBytes * fix: update comments * fix: patch error message Co-authored-by: joel@joellee.org <joel@joellee.org>

…r status (#733) * refactor: change json.NewDecoder -> getBodyBytes * refactor: update admin to use getBodyBytes * fix: update comments * fix: patch error message * refactor: remove FindFactorByFriendlyName * chore: update error messages * fix: refactor unenroll test * fix: patch staticcheck * fix: patch stray staticcheck error * refactor: add test case for unverified factor * fix: correct error naming and adjust error messages Co-authored-by: joel@joellee.org <joel@joellee.org>

Co-authored-by: joel@joellee.org <joel@joellee.org>

* fix: remove belongs to association on factor * fix: extract issueRefreshToken logic for MFA * chore: run gofmt * fix: downgrade other sessions instead of deleting them * refactor: convert all aal hardcoded strings to use enum * fix: update AAL Calcuation to not duplicate claims * fix: reinstate auth_test * fix: move downgrade to be a method on factor struct * refactor: merge factor and AAL update methods * refactor: change mfa_constants to enum * refactor: change signInMethod to Enum * refactor: change hardcoded strings to test constants * refactor: rename secondary session variables * test: add check that unenrolling clears factorID from assoc session * refactor: remove unused structs * refactor: nit changes (#694) * refactor: validate totp only if challenge isn't expired * refactor: better error handling * refactor: read from DB session instead of JWT token * refactor: remove outdated test * test: add tests for calculate AAL and AMR * fix: add test to ensure claims are not duplicated * fix: add ordering condition * refactor: rename signInMethod to authenticationMethod * fix: change verify bad code return from 401->400 * chore: run gofmt * fix: re-read association from session * refactor: change methods using enum types to AuthenticationMethod * fix: change more functions to take in enum * test: add integration tests * test: add test to check AAL maintainance * fix: add test for refresh token rotation * chore: fix staticcheck * refactor: move sessionID calculation out from transaction * refactor: remove authentication method map * refactor: remove additional CalculateAALAndAMR * fix: remove requirement for tokens to be not revoked * Apply suggestions from code review Co-authored-by: Kang Ming <kang.ming1996@gmail.com> * fix: gofmt, refactor return type for enrollfactor * refactor: add comments to clarify tests, remove unused codew * fix: add index to refresh_token * refactor: minor renaming and add check on qrcode contents * fix: replace expires in to default expiry * fix: update unverified factor test Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Kang Ming <kang.ming1996@gmail.com>

* refactor: explicitly name structs * refactor: add explicit tags to user and phone * refactor: add admin related tags Co-authored-by: joel@joellee.org <joel@joellee.org>

…742) * fix: trigger token swap to ensure token is latest one * test: add additional test to check 2FA followed by 1FA sign in * Update api/token.go Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com> * Revert "Update api/token.go" This reverts commit f6aa576. * refactor: reduce number of params needed * refactor: move FindSessionByUserID to tests * Revert "refactor: move FindSessionByUserID to tests" This reverts commit 3b56457. Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>

* fix: add initial flags on tests * fix: add MFA_ENABLED flag to tests * fix: checks in test admin * fix: add enabled flag * fix: properly make use of config * fix: remove stray env var addition * feat: initial prefixing * fix: prefix mfa related tests * Update models/refresh_token.go Co-authored-by: Kang Ming <kang.ming1996@gmail.com> * fix: update comparison checks at * chore: MFA_ENABLED->GOTRUE_MFA_ENABLED Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Kang Ming <kang.ming1996@gmail.com>

* refactor: add unenroll factor response * refactor: remove /user/<prefix> route for mfa

* feat: add mfa indexes * Update models/amr.go Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com> * Update migrations/20221011041400_add_mfa_indexes.up.sql Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com> Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>

* refactor: rename errors * fix: add aal2 check * refactor: simplify amr claims * fix: add additional test for unenrolling verified factors * Apply suggestions from code review Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com> Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>

Co-authored-by: joel@joellee.org <joel@joellee.org>

* refactor: remove requirement for code in order to unenroll * test: add sanity checks for secret leakage * fix: update status codes for unenroll factor Co-authored-by: joel@joellee.org <joel@joellee.org>

Commits on Jun 29, 2022

fix: update db schema

joel@joellee.org committed Jun 29, 2022

Configuration menu

View commit details

Copy full SHA for d26c628

Browse repository at this point

Copy the full SHA

d26c628 View commit details

Browse the repository at this point in the history

Commits on Aug 6, 2022

refactor: make issuer mandatory

joel@joellee.org committed Aug 6, 2022

Configuration menu

View commit details

Copy full SHA for a4af59f

Browse repository at this point

Copy the full SHA

a4af59f View commit details

Browse the repository at this point in the history

Commits on Sep 5, 2022

refactor: remove stepup login

joel@joellee.org committed Sep 5, 2022

Configuration menu

View commit details

Copy full SHA for aba96e4

Browse repository at this point

Copy the full SHA

aba96e4 View commit details

Browse the repository at this point in the history

feat: add MFA support (disabled by default) #736

feat: add MFA support (disabled by default) #736

Commits on Jun 14, 2022

Commits on Jun 15, 2022

Commits on Jun 16, 2022

Commits on Jun 17, 2022

Commits on Jun 20, 2022

Commits on Jun 21, 2022

Commits on Jun 22, 2022

Commits on Jun 29, 2022

Commits on Jun 30, 2022

Commits on Jul 1, 2022

Commits on Jul 2, 2022

Commits on Jul 3, 2022

Commits on Jul 4, 2022

Commits on Jul 5, 2022

Commits on Jul 11, 2022

Commits on Jul 12, 2022

Commits on Jul 19, 2022

Commits on Jul 20, 2022

Commits on Jul 21, 2022

Commits on Jul 26, 2022

Commits on Jul 27, 2022

Commits on Jul 28, 2022

Commits on Jul 29, 2022

Commits on Aug 1, 2022

Commits on Aug 2, 2022

Commits on Aug 3, 2022

Commits on Aug 6, 2022

Commits on Aug 8, 2022

Commits on Aug 9, 2022

Commits on Aug 10, 2022

Commits on Aug 28, 2022

Commits on Aug 29, 2022

Commits on Aug 30, 2022

Commits on Aug 31, 2022

Commits on Sep 1, 2022

Commits on Sep 2, 2022

Commits on Sep 5, 2022

Commits on Sep 6, 2022

Commits on Sep 7, 2022

Commits on Sep 8, 2022

Commits on Sep 9, 2022

Commits on Sep 11, 2022

Commits on Sep 12, 2022

Commits on Sep 13, 2022

Commits on Sep 14, 2022

Commits on Sep 15, 2022

Commits on Sep 16, 2022

Commits on Sep 19, 2022

Commits on Sep 23, 2022

Commits on Sep 26, 2022

Commits on Oct 3, 2022

Commits on Oct 4, 2022

Commits on Oct 5, 2022

Commits on Oct 10, 2022

Commits on Oct 11, 2022

Commits on Oct 12, 2022

Commits on Oct 17, 2022

Commits on Oct 18, 2022