Add admin calls for MFA (#105)

michaelschattgen · web-flow · commit 7d763ddd205b · 2024-07-26T10:35:06.000-05:00
diff --git a/Gotrue/AdminClient.cs b/Gotrue/AdminClient.cs
@@ -3,6 +3,7 @@
 using System.Threading.Tasks;
 using Newtonsoft.Json;
 using Supabase.Gotrue.Interfaces;
+using Supabase.Gotrue.Mfa;
 using Supabase.Gotrue.Responses;
 
 namespace Supabase.Gotrue
@@ -99,6 +100,7 @@ public async Task<bool> DeleteUser(string uid)
 		{
 			return _api.UpdateUserById(_serviceKey, userId, userData);
 		}
+
 		/// <inheritdoc />
 		public async Task<GenerateLinkResponse?> GenerateLink(GenerateLinkOptions options)
 		{
@@ -112,6 +114,29 @@ public async Task<bool> DeleteUser(string uid)
 			 return result;
 		}
 
+		/// <inheritdoc />
+		public async Task<MfaAdminListFactorsResponse?> ListFactors(MfaAdminListFactorsParams listFactorsParams)
+		{
+			var response = await _api.ListFactors(_serviceKey, listFactorsParams);
+			response.ResponseMessage?.EnsureSuccessStatusCode();
+
+			if (response.Content is null)
+				return null;
+
+			var result = JsonConvert.DeserializeObject<List<Factor>>(response.Content);
+			var listFactorsResponse = new MfaAdminListFactorsResponse
+			{
+				Factors = result
+			};
+
+			return listFactorsResponse;
+		}
+
+		public async Task<MfaAdminDeleteFactorResponse?> DeleteFactor(MfaAdminDeleteFactorParams deleteFactorParams)
+		{
+			return await _api.DeleteFactor(_serviceKey, deleteFactorParams);
+		}
+
 		/// <inheritdoc />
 		public async Task<User?> Update(UserAttributes attributes)
 		{
diff --git a/Gotrue/Api.cs b/Gotrue/Api.cs
@@ -577,6 +577,18 @@ public ProviderAuthState GetUriForProvider(Provider provider, SignInOptions? opt
 			return Helpers.MakeRequest<MfaUnenrollResponse>(HttpMethod.Delete, $"{Url}/factors/{mfaUnenrollParams.FactorId}", null, CreateAuthedRequestHeaders(jwt));
 		}
 
+		/// <inheritdoc />
+		public Task<BaseResponse> ListFactors(string jwt, MfaAdminListFactorsParams listFactorsParams)
+		{
+			return Helpers.MakeRequest(HttpMethod.Get, $"{Url}/admin/users/{listFactorsParams.UserId}/factors", null, CreateAuthedRequestHeaders(jwt));
+		}
+
+		/// <inheritdoc />
+		public Task<MfaAdminDeleteFactorResponse?> DeleteFactor(string jwt, MfaAdminDeleteFactorParams deleteFactorParams)
+		{
+			return Helpers.MakeRequest<MfaAdminDeleteFactorResponse>(HttpMethod.Delete, $"{Url}/admin/users/{deleteFactorParams.UserId}/factors/{deleteFactorParams.Id}", null, CreateAuthedRequestHeaders(jwt));
+		}
+
 		/// <inheritdoc />
 		public async Task<ProviderAuthState> LinkIdentity(string token, Provider provider, SignInOptions options)
 		{
diff --git a/Gotrue/Interfaces/IGotrueAdminClient.cs b/Gotrue/Interfaces/IGotrueAdminClient.cs
@@ -1,6 +1,7 @@
 using System.Threading.Tasks;
 using Supabase.Core.Attributes;
 using Supabase.Core.Interfaces;
+using Supabase.Gotrue.Mfa;
 using Supabase.Gotrue.Responses;
 
 namespace Supabase.Gotrue.Interfaces
@@ -91,5 +92,19 @@ public interface IGotrueAdminClient<TUser> : IGettableHeaders
 		/// <param name="options">Options for this call. `Password` is required for <see cref="GenerateLinkOptions.LinkType.SignUp"/>, `Data` is an optional parameter for <see cref="GenerateLinkOptions.LinkType.SignUp"/>.</param>
 		/// <returns></returns>
 		public Task<GenerateLinkResponse?> GenerateLink(GenerateLinkOptions options);
+
+		/// <summary>
+		/// Lists all factors associated to a specific user.
+		/// </summary>
+		/// <param name="listFactorParams">A <see cref="MfaAdminListFactorsParams"/> object that contains the user id.</param>
+		/// <returns>A list of <see cref="Factor"/> that this user has enabled.</returns>
+		public Task<MfaAdminListFactorsResponse?> ListFactors(MfaAdminListFactorsParams listFactorsParams);
+
+		/// <summary>
+		/// Deletes a factor on a user. This will log the user out of all active sessions if the deleted factor was verified.
+		/// </summary>
+		/// <param name="listFactorParams">A <see cref="MfaAdminListFactorsParams"/> object that contains the user id.</param>
+		/// <returns>A <see cref="MfaAdminDeleteFactorResponse"/> containing the deleted factor id.</returns>
+		public Task<MfaAdminDeleteFactorResponse?> DeleteFactor(MfaAdminDeleteFactorParams deleteFactorParams);
 	}
 }
diff --git a/Gotrue/Interfaces/IGotrueApi.cs b/Gotrue/Interfaces/IGotrueApi.cs
@@ -49,6 +49,8 @@ public interface IGotrueApi<TUser, TSession> : IGettableHeaders
 		Task<MfaChallengeResponse?> Challenge(string jwt, MfaChallengeParams mfaChallengeParams);
 		Task<MfaVerifyResponse?> Verify(string jwt, MfaVerifyParams mfaVerifyParams);
 		Task<MfaUnenrollResponse?> Unenroll(string jwt, MfaUnenrollParams mfaVerifyParams);
+		Task<BaseResponse> ListFactors(string jwt, MfaAdminListFactorsParams listFactorsParams);
+		Task<MfaAdminDeleteFactorResponse?> DeleteFactor(string jwt, MfaAdminDeleteFactorParams deleteFactorParams);
 
 		/// <summary>
 		/// Links an oauth identity to an existing user.
diff --git a/Gotrue/Mfa/MfaAdminDeleteFactorParams.cs b/Gotrue/Mfa/MfaAdminDeleteFactorParams.cs
@@ -0,0 +1,11 @@
+﻿namespace Supabase.Gotrue.Mfa
+{
+	public class MfaAdminDeleteFactorParams
+	{
+		// Id of the MFA factor to delete
+		public string Id { get; set; }
+
+		// Id of the user whose factor is being deleted
+		public string UserId { get; set; }
+	}
+}
diff --git a/Gotrue/Mfa/MfaAdminDeleteFactorResponse.cs b/Gotrue/Mfa/MfaAdminDeleteFactorResponse.cs
@@ -0,0 +1,11 @@
+﻿using System.Text.Json.Serialization;
+
+namespace Supabase.Gotrue.Mfa
+{
+	public class MfaAdminDeleteFactorResponse
+	{
+		// Id of the factor that was successfully deleted
+		[JsonPropertyName("id")]
+		public string Id { get; set; }
+	}
+}
diff --git a/Gotrue/Mfa/MfaAdminListFactorsParams.cs b/Gotrue/Mfa/MfaAdminListFactorsParams.cs
@@ -0,0 +1,8 @@
+﻿namespace Supabase.Gotrue.Mfa
+{
+	public class MfaAdminListFactorsParams
+	{
+		// Id of the user
+		public string UserId { get; set; }
+	}
+}
diff --git a/Gotrue/Mfa/MfaAdminListFactorsResponse.cs b/Gotrue/Mfa/MfaAdminListFactorsResponse.cs
@@ -0,0 +1,10 @@
+﻿using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Supabase.Gotrue.Mfa
+{
+	public class MfaAdminListFactorsResponse
+	{
+		public List<Factor> Factors { get; set; } = new List<Factor>();
+	}
+}
diff --git a/GotrueTests/MfaClientTests.cs b/GotrueTests/MfaClientTests.cs
@@ -19,11 +19,15 @@ namespace GotrueTests;
 public class MfaClientTests
 {
 	private IGotrueClient<User, Session> _client;
+	private IGotrueAdminClient<User> _adminClient;
+
+	private readonly string _serviceKey = GenerateServiceRoleToken();
 
 	[TestInitialize]
 	public void TestInitializer()
 	{
 		_client = new Client(new ClientOptions { AllowUnconfirmedUserSessions = true });
+		_adminClient = new AdminClient(_serviceKey, new ClientOptions { AllowUnconfirmedUserSessions = true });
 	}
 
 	[TestMethod("MFA: Complete flow")]
@@ -103,6 +107,86 @@ await _client.ChallengeAndVerify(new MfaChallengeAndVerifyParams
 		IsTrue(factors.Totp.Count == 0);
 	}
 
+	[TestMethod("MFA Admin: List factors for user")]
+	public async Task MfaAdminListFactorsForUser()
+	{
+		var email = $"{RandomString(12)}@supabase.io";
+		var session = await _client.SignUp(email, PASSWORD);
+		VerifyGoodSession(session);
+
+		var mfaEnrollParams = new MfaEnrollParams
+		{
+			Issuer = "Supabase",
+			FactorType = "totp",
+			FriendlyName = "Enroll test"
+		};
+
+		var enrollResponse = await _client.Enroll(mfaEnrollParams);
+		IsNotNull(enrollResponse.Id);
+
+		var factors = await _adminClient.ListFactors(new MfaAdminListFactorsParams
+		{
+			UserId = session.User.Id
+		});
+		IsNotNull(factors);
+		AreEqual(1, factors.Factors.Count);
+		AreEqual(enrollResponse.Id, factors.Factors.FirstOrDefault().Id);
+		AreEqual("unverified", factors.Factors.FirstOrDefault().Status);
+
+		var totpCode = TotpGenerator.GeneratePin(enrollResponse.Totp.Secret, 30, 6);
+		await _client.ChallengeAndVerify(new MfaChallengeAndVerifyParams
+		{
+			FactorId = enrollResponse.Id,
+			Code = totpCode
+		});
+
+		factors = await _adminClient.ListFactors(new MfaAdminListFactorsParams
+		{
+			UserId = session.User.Id
+		});
+		IsNotNull(factors);
+		AreEqual(1, factors.Factors.Count);
+		AreEqual(enrollResponse.Id, factors.Factors.FirstOrDefault().Id);
+		AreEqual("verified", factors.Factors.FirstOrDefault().Status);
+	}
+
+	[TestMethod("MFA Admin: Delete factor for user")]
+	public async Task MfaAdminDeleteFactorForUser()
+	{
+		var email = $"{RandomString(12)}@supabase.io";
+		var session = await _client.SignUp(email, PASSWORD);
+		VerifyGoodSession(session);
+
+		var mfaEnrollParams = new MfaEnrollParams
+		{
+			Issuer = "Supabase",
+			FactorType = "totp",
+			FriendlyName = "Enroll test"
+		};
+
+		var enrollResponse = await _client.Enroll(mfaEnrollParams);
+		IsNotNull(enrollResponse.Id);
+
+		var listFactors = await _adminClient.ListFactors(new MfaAdminListFactorsParams
+		{
+			UserId = session.User.Id
+		});
+		AreEqual(1, listFactors.Factors.Count);
+
+		var deleteFactorResponse = await _adminClient.DeleteFactor(new MfaAdminDeleteFactorParams
+		{
+			Id = enrollResponse.Id,
+			UserId = session.User.Id
+		});
+		AreEqual(enrollResponse.Id, deleteFactorResponse.Id);
+
+		listFactors = await _adminClient.ListFactors(new MfaAdminListFactorsParams
+		{
+			UserId = session.User.Id
+		});
+		AreEqual(0, listFactors.Factors.Count);
+	}
+
 	[TestMethod("MFA: Invalid TOTP")]
 	public async Task MfaInvalidTotp()
 	{
