Merge pull request #747 from code0-tech/689-expose-mfa-status-for-admins-and-self-user

Expose mfa status for admin and self-users

Author: Taucher2003

app/graphql/types/mfa_status_type.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Types
+  class MfaStatusType < Types::BaseObject
+    description 'Represents the MFA status of a user'
+
+    authorize :read_mfa_status
+
+    field :enabled, Boolean, null: false,
+                             description: 'Indicates whether MFA is enabled for the user.'
+
+    field :totp_enabled, Boolean, null: false,
+                                  description: 'Indicates whether TOTP MFA is enabled for the user.'
+
+    field :backup_codes_count, Integer, null: false,
+                                        description: 'The number of backup codes remaining for the user.'
+  end
+end

app/graphql/types/user_type.rb

@@ -41,6 +41,10 @@ class UserType < Types::BaseObject
           description: 'Identities of this user',
           method: :user_identities
 
+    field :mfa_status, Types::MfaStatusType,
+          null: true,
+          description: 'Multi-factor authentication status of this user'
+
     lookahead_field :namespace_memberships,
                     base_scope: ->(object) { object.namespace_memberships },
                     conditional_lookaheads: { user: :user, namespace: { namespace: :namespace_members } }
@@ -58,5 +62,13 @@ def avatar_path
 
       Rails.application.routes.url_helpers.rails_storage_proxy_path object.avatar
     end
+
+    def mfa_status
+      {
+        enabled: object.mfa_enabled?,
+        totp_enabled: object.totp_secret.present?,
+        backup_codes_count: object.backup_codes.size,
+      }
+    end
   end
 end

app/policies/user_policy.rb

@@ -14,6 +14,7 @@ class UserPolicy < BasePolicy
     enable :read_email
     enable :delete_user
     enable :read_admin_status
+    enable :read_mfa_status
   end
 
   rule { admin_status_visible & ~anonymous }.enable :read_admin_status
@@ -26,5 +27,6 @@ class UserPolicy < BasePolicy
     enable :verify_email
     enable :send_verification_email
     enable :read_email
+    enable :read_mfa_status
   end
 end

docs/graphql/object/mfastatus.md

@@ -0,0 +1,14 @@
+---
+title: MfaStatus
+---
+
+Represents the MFA status of a user
+
+## Fields without arguments
+
+| Name | Type | Description |
+|------|------|-------------|
+| `backupCodesCount` | [`Int!`](../scalar/int.md) | The number of backup codes remaining for the user. |
+| `enabled` | [`Boolean!`](../scalar/boolean.md) | Indicates whether MFA is enabled for the user. |
+| `totpEnabled` | [`Boolean!`](../scalar/boolean.md) | Indicates whether TOTP MFA is enabled for the user. |
+

docs/graphql/object/user.md

@@ -17,6 +17,7 @@ Represents a user
 | `id` | [`UserID!`](../scalar/userid.md) | Global ID of this User |
 | `identities` | [`UserIdentityConnection!`](../object/useridentityconnection.md) | Identities of this user |
 | `lastname` | [`String`](../scalar/string.md) | Lastname of the user |
+| `mfaStatus` | [`MfaStatus`](../object/mfastatus.md) | Multi-factor authentication status of this user |
 | `namespace` | [`Namespace`](../object/namespace.md) | Namespace of this user |
 | `namespaceMemberships` | [`NamespaceMemberConnection!`](../object/namespacememberconnection.md) | Namespace Memberships of this user |
 | `sessions` | [`UserSessionConnection!`](../object/usersessionconnection.md) | Sessions of this user |

spec/graphql/types/mfa_status_type_spec.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe SagittariusSchema.types['MfaStatus'] do
+  let(:fields) do
+    %w[
+      enabled
+      totpEnabled
+      backupCodesCount
+    ]
+  end
+
+  it { expect(described_class.graphql_name).to eq('MfaStatus') }
+  it { expect(described_class).to have_graphql_fields(fields) }
+  it { expect(described_class).to require_graphql_authorizations(:read_mfa_status) }
+end

spec/graphql/types/user_type_spec.rb

@@ -17,6 +17,7 @@
       emailVerifiedAt
       sessions
       identities
+      mfaStatus
       userAbilities
       createdAt
       updatedAt