feat: add MFA support (disabled by default)

api/admin.go

@@ -29,6 +29,11 @@ type AdminUserParams struct {
 	BanDuration  string                 `json:"ban_duration"`
 }
 
+type adminUserUpdateFactorParams struct {
+	FriendlyName string `json:"friendly_name"`
+	FactorType   string `json:"factor_type"`
+}
+
 type AdminListUsersResponse struct {
 	Users []*models.User `json:"users"`
 	Aud   string         `json:"aud"`
@@ -56,6 +61,24 @@ func (a *API) loadUser(w http.ResponseWriter, r *http.Request) (context.Context,
 	return withUser(ctx, u), nil
 }
 
+func (a *API) loadFactor(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+	factorID, err := uuid.FromString(chi.URLParam(r, "factor_id"))
+	if err != nil {
+		return nil, badRequestError("factor_id must be an UUID")
+	}
+
+	observability.LogEntrySetField(r, "factor_id", factorID)
+
+	f, err := models.FindFactorByFactorID(a.db, factorID)
+	if err != nil {
+		if models.IsNotFoundError(err) {
+			return nil, notFoundError("Factor not found")
+		}
+		return nil, internalServerError("Database error loading factor").WithInternalError(err)
+	}
+	return withFactor(r.Context(), f), nil
+}
+
 func (a *API) getAdminParams(r *http.Request) (*AdminUserParams, error) {
 	params := AdminUserParams{}
 
@@ -378,3 +401,90 @@ func (a *API) adminUserDelete(w http.ResponseWriter, r *http.Request) error {
 
 	return sendJSON(w, http.StatusOK, map[string]interface{}{})
 }
+
+func (a *API) adminUserDeleteFactor(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	user := getUser(ctx)
+	factor := getFactor(ctx)
+
+	MFAEnabled, err := models.IsMFAEnabled(a.db, user)
+	if err != nil {
+		return err
+	} else if !MFAEnabled {
+		return forbiddenError("You do not have a verified factor enrolled")
+	}
+
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		if terr := models.NewAuditLogEntry(r, tx, user, models.DeleteFactorAction, r.RemoteAddr, map[string]interface{}{
+			"user_id":   user.ID,
+			"factor_id": factor.ID,
+		}); terr != nil {
+			return terr
+		}
+		if terr := tx.Destroy(factor); terr != nil {
+			return internalServerError("Database error deleting factor").WithInternalError(terr)
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	return sendJSON(w, http.StatusOK, factor)
+}
+
+func (a *API) adminUserGetFactors(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	user := getUser(ctx)
+	factors, terr := models.FindFactorsByUser(a.db, user)
+	if terr != nil {
+		return terr
+	}
+	return sendJSON(w, http.StatusOK, factors)
+}
+
+// adminUserUpdate updates a single factor object
+func (a *API) adminUserUpdateFactor(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+	factor := getFactor(ctx)
+	user := getUser(ctx)
+	adminUser := getAdminUser(ctx)
+	params := &adminUserUpdateFactorParams{}
+	body, err := getBodyBytes(r)
+	if err != nil {
+		return badRequestError("Could not read body").WithInternalError(err)
+	}
+
+	if err := json.Unmarshal(body, params); err != nil {
+		return badRequestError("Could not read factor update params: %v", err)
+	}
+
+	err = a.db.Transaction(func(tx *storage.Connection) error {
+		if params.FriendlyName != "" {
+			if terr := factor.UpdateFriendlyName(tx, params.FriendlyName); terr != nil {
+				return terr
+			}
+		}
+		if params.FactorType != "" {
+			if params.FactorType != models.TOTP {
+				return badRequestError("Factor Type not valid")
+			}
+			if terr := factor.UpdateFactorType(tx, params.FactorType); terr != nil {
+				return terr
+			}
+		}
+
+		if terr := models.NewAuditLogEntry(r, tx, adminUser, models.UpdateFactorAction, "", map[string]interface{}{
+			"user_id":     user.ID,
+			"factor_id":   factor.ID,
+			"factor_type": factor.FactorType,
+		}); terr != nil {
+			return terr
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return sendJSON(w, http.StatusOK, factor)
+}

api/admin_test.go

@@ -519,3 +519,113 @@ func (ts *AdminTestSuite) TestAdminUserCreateWithDisabledLogin() {
 		})
 	}
 }
+
+// TestAdminUserDeleteFactor tests API /admin/users/<user_id>/factor/<factor_id>/
+func (ts *AdminTestSuite) TestAdminUserDeleteFactor() {
+	if !ts.API.config.MFA.Enabled {
+		return
+	}
+	u, err := models.NewUser("123456789", "test-delete@example.com", "test", ts.Config.JWT.Aud, nil)
+	require.NoError(ts.T(), err, "Error making new user")
+	require.NoError(ts.T(), ts.API.db.Create(u), "Error creating user")
+
+	f, err := models.NewFactor(u, "testSimpleName", models.TOTP, models.FactorStateVerified, "secretkey")
+
+	require.NoError(ts.T(), err, "Error creating test factor model")
+	require.NoError(ts.T(), ts.API.db.Create(f), "Error saving new test factor")
+
+	// Setup request
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("/admin/users/%s/factor/%s/", u.ID, f.ID), nil)
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+
+	ts.API.handler.ServeHTTP(w, req)
+	require.Equal(ts.T(), http.StatusOK, w.Code)
+
+	_, err = models.FindFactorByFactorID(ts.API.db, f.ID)
+	require.EqualError(ts.T(), err, models.FactorNotFoundError{}.Error())
+
+}
+
+// TestAdminUserGetFactor tests API /admin/user/<user_id>/factors/
+func (ts *AdminTestSuite) TestAdminUserGetFactors() {
+	if !ts.API.config.MFA.Enabled {
+		return
+	}
+	u, err := models.NewUser("123456789", "test-delete@example.com", "test", ts.Config.JWT.Aud, nil)
+	require.NoError(ts.T(), err, "Error making new user")
+	require.NoError(ts.T(), ts.API.db.Create(u), "Error creating user")
+
+	f, err := models.NewFactor(u, "testSimpleName", models.TOTP, models.FactorStateUnverified, "secretkey")
+	require.NoError(ts.T(), err, "Error creating test factor model")
+	require.NoError(ts.T(), ts.API.db.Create(f), "Error saving new test factor")
+
+	// Setup request
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/admin/users/%s/factor/", u.ID), nil)
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+
+	ts.API.handler.ServeHTTP(w, req)
+	require.Equal(ts.T(), http.StatusOK, w.Code)
+	getFactorsResp := []*models.Factor{}
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&getFactorsResp))
+	require.Equal(ts.T(), getFactorsResp[0].Secret, nil)
+}
+
+func (ts *AdminTestSuite) TestAdminUserUpdateFactor() {
+	if !ts.API.config.MFA.Enabled {
+		return
+	}
+	u, err := models.NewUser("123456789", "test-delete@example.com", "test", ts.Config.JWT.Aud, nil)
+	require.NoError(ts.T(), err, "Error making new user")
+	require.NoError(ts.T(), ts.API.db.Create(u), "Error creating user")
+
+	f, err := models.NewFactor(u, "testSimpleName", models.TOTP, models.FactorStateUnverified, "secretkey")
+	require.NoError(ts.T(), err, "Error creating test factor model")
+	require.NoError(ts.T(), ts.API.db.Create(f), "Error saving new test factor")
+
+	var cases = []struct {
+		Desc         string
+		FactorData   map[string]interface{}
+		ExpectedCode int
+	}{
+		{
+			Desc: "Update Factor friendly name",
+			FactorData: map[string]interface{}{
+				"friendly_name": "john",
+			},
+			ExpectedCode: http.StatusOK,
+		},
+		{
+			Desc: "Update factor: valid factor type",
+			FactorData: map[string]interface{}{
+				"friendly_name": "john",
+				"factor_type":   models.TOTP,
+			},
+			ExpectedCode: http.StatusOK,
+		},
+		{
+			Desc: "Update factor: invalid factor",
+			FactorData: map[string]interface{}{
+				"factor_type": "invalid_factor",
+			},
+			ExpectedCode: http.StatusBadRequest,
+		},
+	}
+
+	// Initialize factor data
+	for _, c := range cases {
+		ts.Run(c.Desc, func() {
+			var buffer bytes.Buffer
+			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(c.FactorData))
+			w := httptest.NewRecorder()
+			req := httptest.NewRequest(http.MethodPut, fmt.Sprintf("/admin/users/%s/factor/%s/", u.ID, f.ID), &buffer)
+			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+			ts.API.handler.ServeHTTP(w, req)
+			require.Equal(ts.T(), c.ExpectedCode, w.Code)
+		})
+	}
+
+}

api/api.go

@@ -130,6 +130,26 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 			r.With(sharedLimiter).Put("/", api.UserUpdate)
 		})
 
+		if api.config.MFA.Enabled {
+			r.With(api.requireAuthentication).Route("/factors", func(r *router) {
+				r.Post("/", api.EnrollFactor)
+				r.Route("/{factor_id}", func(r *router) {
+					r.Use(api.loadFactor)
+
+					r.With(api.limitHandler(
+						tollbooth.NewLimiter(api.config.MFA.RateLimitChallengeAndVerify/60, &limiter.ExpirableOptions{
+							DefaultExpirationTTL: time.Minute,
+						}).SetBurst(30))).Post("/verify", api.VerifyFactor)
+					r.With(api.limitHandler(
+						tollbooth.NewLimiter(api.config.MFA.RateLimitChallengeAndVerify/60, &limiter.ExpirableOptions{
+							DefaultExpirationTTL: time.Minute,
+						}).SetBurst(30))).Post("/challenge", api.ChallengeFactor)
+					r.Delete("/", api.UnenrollFactor)
+
+				})
+			})
+		}
+
 		r.Route("/admin", func(r *router) {
 			r.Use(api.requireAdminCredentials)
 
@@ -143,6 +163,16 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 
 				r.Route("/{user_id}", func(r *router) {
 					r.Use(api.loadUser)
+					if api.config.MFA.Enabled {
+						r.Route("/factors", func(r *router) {
+							r.Get("/", api.adminUserGetFactors)
+							r.Route("/{factor_id}", func(r *router) {
+								r.Use(api.loadFactor)
+								r.Delete("/", api.adminUserDeleteFactor)
+								r.Put("/", api.adminUserUpdateFactor)
+							})
+						})
+					}
 
 					r.Get("/", api.adminUserGet)
 					r.Put("/", api.adminUserUpdate)
@@ -156,7 +186,7 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 
 	corsHandler := cors.New(cors.Options{
 		AllowedMethods:   []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", audHeaderName, useCookieHeader},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-Client-IP", "X-Client-Info", audHeaderName, useCookieHeader},
 		AllowCredentials: true,
 	})
 

api/audit_test.go

@@ -48,7 +48,13 @@ func (ts *AuditTestSuite) makeSuperAdmin(email string) string {
 
 	u.Role = "supabase_admin"
 
-	token, err := generateAccessToken(u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	var token string
+	if ts.Config.MFA.Enabled {
+		token, err = MFA_generateAccessToken(ts.API.db, u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	} else {
+		token, err = generateAccessToken(u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+
+	}
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}

api/auth_test.go

@@ -76,7 +76,13 @@ func (ts *AuthTestSuite) TestMaybeLoadUserOrSession() {
 	u, err := models.FindUserByEmailAndAudience(ts.API.db, "test@example.com", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
 
-	s, err := models.CreateSession(ts.API.db, u)
+	var s *models.Session
+	if ts.Config.MFA.Enabled {
+		s, err = models.MFA_CreateSession(ts.API.db, u, &uuid.Nil)
+	} else {
+		s, err = models.CreateSession(ts.API.db, u)
+
+	}
 	require.NoError(ts.T(), err)
 
 	cases := []struct {

api/context.go

@@ -20,6 +20,7 @@ const (
 	signatureKey            = contextKey("signature")
 	externalProviderTypeKey = contextKey("external_provider_type")
 	userKey                 = contextKey("user")
+	factorKey               = contextKey("factor")
 	sessionKey              = contextKey("session")
 	externalReferrerKey     = contextKey("external_referrer")
 	functionHooksKey        = contextKey("function_hooks")
@@ -71,6 +72,11 @@ func withUser(ctx context.Context, u *models.User) context.Context {
 	return context.WithValue(ctx, userKey, u)
 }
 
+// with Factor adds the factor id to the context.
+func withFactor(ctx context.Context, f *models.Factor) context.Context {
+	return context.WithValue(ctx, factorKey, f)
+}
+
 // getUser reads the user from the context.
 func getUser(ctx context.Context) *models.User {
 	if ctx == nil {
@@ -83,6 +89,15 @@ func getUser(ctx context.Context) *models.User {
 	return obj.(*models.User)
 }
 
+// getFactor reads the factor id from the context
+func getFactor(ctx context.Context) *models.Factor {
+	obj := ctx.Value(factorKey)
+	if obj == nil {
+		return nil
+	}
+	return obj.(*models.Factor)
+}
+
 // withSession adds the session to the context.
 func withSession(ctx context.Context, s *models.Session) context.Context {
 	return context.WithValue(ctx, sessionKey, s)

api/external.go

@@ -278,8 +278,12 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 				}
 			}
 		}
+		if config.MFA.Enabled {
+			token, terr = a.MFA_issueRefreshToken(ctx, tx, user, models.OAuth, grantParams)
+		} else {
+			token, terr = a.issueRefreshToken(ctx, tx, user, grantParams)
+		}
 
-		token, terr = a.issueRefreshToken(ctx, tx, user, grantParams)
 		if terr != nil {
 			return oauthError("server_error", terr.Error())
 		}

api/invite_test.go

@@ -58,7 +58,12 @@ func (ts *InviteTestSuite) makeSuperAdmin(email string) string {
 
 	u.Role = "supabase_admin"
 
-	token, err := generateAccessToken(u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	var token string
+	if ts.API.config.MFA.Enabled {
+		token, err = MFA_generateAccessToken(ts.API.db, u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	} else {
+		token, err = generateAccessToken(u, nil, time.Second*time.Duration(ts.Config.JWT.Exp), ts.Config.JWT.Secret)
+	}
 	require.NoError(ts.T(), err, "Error generating access token")
 
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}