From 6b66cccd02c2589bb2dad38b46f4da7e1455ca0b Mon Sep 17 00:00:00 2001
From: Mani Chandra <84711804+ThisIsMani@users.noreply.github.com>
Date: Tue, 5 Nov 2024 19:13:11 +0530
Subject: [PATCH] feat(users): Add `force_two_factor_auth` environment variable
 (#6466)

---
 config/config.example.toml               | 1 +
 config/deployments/integration_test.toml | 3 ++-
 config/deployments/production.toml       | 3 ++-
 config/deployments/sandbox.toml          | 1 +
 config/development.toml                  | 1 +
 config/docker_compose.toml               | 1 +
 crates/api_models/src/user.rs            | 1 +
 crates/router/src/configs/settings.rs    | 1 +
 crates/router/src/core/user.rs           | 8 ++++++--
 loadtest/config/development.toml         | 1 +
 10 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/config/config.example.toml b/config/config.example.toml
index b1189b51fae..519429123e1 100644
--- a/config/config.example.toml
+++ b/config/config.example.toml
@@ -396,6 +396,7 @@ password_validity_in_days = 90       # Number of days after which password shoul
 two_factor_auth_expiry_in_secs = 300 # Number of seconds after which 2FA should be done again if doing update/change from inside
 totp_issuer_name = "Hyperswitch"     # Name of the issuer for TOTP
 base_url = ""                        # Base url used for user specific redirects and emails
+force_two_factor_auth = false        # Whether to force two factor authentication for all users
 
 #tokenization configuration which describe token lifetime and payment method for specific connector
 [tokenization]
diff --git a/config/deployments/integration_test.toml b/config/deployments/integration_test.toml
index 5228f435fcd..529506f53ca 100644
--- a/config/deployments/integration_test.toml
+++ b/config/deployments/integration_test.toml
@@ -139,6 +139,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Integ"
 base_url = "https://integ.hyperswitch.io"
+force_two_factor_auth = false
 
 [frm]
 enabled = true
@@ -395,4 +396,4 @@ connector_list = ""
 card_networks = "Visa, AmericanExpress, Mastercard"
 
 [network_tokenization_supported_connectors]
-connector_list = "cybersource"
\ No newline at end of file
+connector_list = "cybersource"
diff --git a/config/deployments/production.toml b/config/deployments/production.toml
index ed2430b266a..61a465a8fb7 100644
--- a/config/deployments/production.toml
+++ b/config/deployments/production.toml
@@ -146,6 +146,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Production"
 base_url = "https://live.hyperswitch.io"
+force_two_factor_auth = false
 
 [frm]
 enabled = false
@@ -409,4 +410,4 @@ connector_list = ""
 card_networks = "Visa, AmericanExpress, Mastercard"
 
 [network_tokenization_supported_connectors]
-connector_list = "cybersource"
\ No newline at end of file
+connector_list = "cybersource"
diff --git a/config/deployments/sandbox.toml b/config/deployments/sandbox.toml
index 3c39f31faec..fb7f8c2e67c 100644
--- a/config/deployments/sandbox.toml
+++ b/config/deployments/sandbox.toml
@@ -146,6 +146,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Sandbox"
 base_url = "https://app.hyperswitch.io"
+force_two_factor_auth = false
 
 [frm]
 enabled = true
diff --git a/config/development.toml b/config/development.toml
index ca4dcb9529e..08524556283 100644
--- a/config/development.toml
+++ b/config/development.toml
@@ -318,6 +318,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Dev"
 base_url = "http://localhost:8080"
+force_two_factor_auth = false
 
 [bank_config.eps]
 stripe = { banks = "arzte_und_apotheker_bank,austrian_anadi_bank_ag,bank_austria,bankhaus_carl_spangler,bankhaus_schelhammer_und_schattera_ag,bawag_psk_ag,bks_bank_ag,brull_kallmus_bank_ag,btv_vier_lander_bank,capital_bank_grawe_gruppe_ag,dolomitenbank,easybank_ag,erste_bank_und_sparkassen,hypo_alpeadriabank_international_ag,hypo_noe_lb_fur_niederosterreich_u_wien,hypo_oberosterreich_salzburg_steiermark,hypo_tirol_bank_ag,hypo_vorarlberg_bank_ag,hypo_bank_burgenland_aktiengesellschaft,marchfelder_bank,oberbank_ag,raiffeisen_bankengruppe_osterreich,schoellerbank_ag,sparda_bank_wien,volksbank_gruppe,volkskreditbank_ag,vr_bank_braunau" }
diff --git a/config/docker_compose.toml b/config/docker_compose.toml
index b84c3dacd9c..37d621665bd 100644
--- a/config/docker_compose.toml
+++ b/config/docker_compose.toml
@@ -56,6 +56,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch"
 base_url = "http://localhost:8080"
+force_two_factor_auth = false
 
 [locker]
 host = ""
diff --git a/crates/api_models/src/user.rs b/crates/api_models/src/user.rs
index 089089038b8..089426c68ba 100644
--- a/crates/api_models/src/user.rs
+++ b/crates/api_models/src/user.rs
@@ -211,6 +211,7 @@ pub struct TwoFactorAuthStatusResponseWithAttempts {
 #[derive(Debug, serde::Deserialize, serde::Serialize)]
 pub struct TwoFactorStatus {
     pub status: Option<TwoFactorAuthStatusResponseWithAttempts>,
+    pub is_skippable: bool,
 }
 
 #[derive(Debug, serde::Deserialize, serde::Serialize)]
diff --git a/crates/router/src/configs/settings.rs b/crates/router/src/configs/settings.rs
index 61e026ae2c5..f675aad11a7 100644
--- a/crates/router/src/configs/settings.rs
+++ b/crates/router/src/configs/settings.rs
@@ -556,6 +556,7 @@ pub struct UserSettings {
     pub two_factor_auth_expiry_in_secs: i64,
     pub totp_issuer_name: String,
     pub base_url: String,
+    pub force_two_factor_auth: bool,
 }
 
 #[derive(Debug, Deserialize, Clone)]
diff --git a/crates/router/src/core/user.rs b/crates/router/src/core/user.rs
index 822c29b21d9..35b26926ed2 100644
--- a/crates/router/src/core/user.rs
+++ b/crates/router/src/core/user.rs
@@ -1319,7 +1319,7 @@ pub async fn list_user_roles_details(
     ))
     .await
     .change_context(UserErrors::InternalServerError)
-    .attach_printable("Failed to construct proifle map")?
+    .attach_printable("Failed to construct profile map")?
     .into_iter()
     .map(|profile| (profile.get_id().to_owned(), profile.profile_name))
     .collect::<HashMap<_, _>>();
@@ -1927,7 +1927,7 @@ pub async fn terminate_two_factor_auth(
         .change_context(UserErrors::InternalServerError)?
         .into();
 
-    if !skip_two_factor_auth {
+    if state.conf.user.force_two_factor_auth || !skip_two_factor_auth {
         if !tfa_utils::check_totp_in_redis(&state, &user_token.user_id).await?
             && !tfa_utils::check_recovery_code_in_redis(&state, &user_token.user_id).await?
         {
@@ -1997,9 +1997,12 @@ pub async fn check_two_factor_auth_status_with_attempts(
         .await
         .change_context(UserErrors::InternalServerError)?
         .into();
+
+    let is_skippable = state.conf.user.force_two_factor_auth.not();
     if user_from_db.get_totp_status() == TotpStatus::NotSet {
         return Ok(ApplicationResponse::Json(user_api::TwoFactorStatus {
             status: None,
+            is_skippable,
         }));
     };
 
@@ -2018,6 +2021,7 @@ pub async fn check_two_factor_auth_status_with_attempts(
             totp,
             recovery_code,
         }),
+        is_skippable,
     }))
 }
 
diff --git a/loadtest/config/development.toml b/loadtest/config/development.toml
index be7d71314ac..b0e2cac9b26 100644
--- a/loadtest/config/development.toml
+++ b/loadtest/config/development.toml
@@ -35,6 +35,7 @@ jwt_secret = "secret"
 password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch"
+force_two_factor_auth = false
 
 [locker]
 host = ""