feat: option to also return tfa secret on update/create in addition t…

…o qr code (#418)

Signed-off-by: Sarah Funkhouser <[email protected]>

go.mod

@@ -54,7 +54,7 @@ require (
 	github.com/riverqueue/river v0.15.0
 	github.com/riverqueue/river/riverdriver/riverpgxv5 v0.15.0
 	github.com/rs/zerolog v1.33.0
-	github.com/samber/lo v1.48.0
+	github.com/samber/lo v1.49.0
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1
 	github.com/sebdah/goldie/v2 v2.5.5
 	github.com/spf13/cobra v1.8.1
@@ -67,7 +67,7 @@ require (
 	github.com/theopenlane/entx v0.4.3
 	github.com/theopenlane/gqlgen-plugins v0.4.4
 	github.com/theopenlane/httpsling v0.2.2
-	github.com/theopenlane/iam v0.7.1
+	github.com/theopenlane/iam v0.7.3
 	github.com/theopenlane/newman v0.1.2
 	github.com/theopenlane/riverboat v0.0.7
 	github.com/theopenlane/utils v0.4.3

go.sum

@@ -857,8 +857,8 @@ github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3
 github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
-github.com/samber/lo v1.48.0 h1:ELOfcaM7vdYPe0egBS2Nxa8LxkY4lR+9LBzj0l6cHJ0=
-github.com/samber/lo v1.48.0/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
+github.com/samber/lo v1.49.0 h1:AGnTnQrg1jpFuwECPUSoxZCfVH5W22b605kWSry3YxM=
+github.com/samber/lo v1.49.0/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
 github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
 github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
@@ -969,8 +969,8 @@ github.com/theopenlane/gqlgen-plugins v0.4.4 h1:3TpVQMkmm2cdLOu0Basppp7Rv9KihTN0
 github.com/theopenlane/gqlgen-plugins v0.4.4/go.mod h1:8ilst9sRzH+cq01Z/bNiFBYdoB5AoaGi5W8tsNsRqnM=
 github.com/theopenlane/httpsling v0.2.2 h1:QqJo/VsjeiM6/RnWZpRQX3I7T62j5u9WdXo52zUWyi0=
 github.com/theopenlane/httpsling v0.2.2/go.mod h1:mrSaIZs4lhcBsOJCv/n67N7eDZ/skD6vA8l8y9MDrKk=
-github.com/theopenlane/iam v0.7.1 h1:bg/WxBwbIfaNwB41Zzlmk+Z0vJiGP+DpX8Nfo+IMPk4=
-github.com/theopenlane/iam v0.7.1/go.mod h1:RC5WbZnqi5bR2GaDURFmi6xLAxSSW0HFR+OvmFMp2nk=
+github.com/theopenlane/iam v0.7.3 h1:SIZiZl8raA0+Ybb9zZvcnhdJxW++XrgjMaEdiuJhbjw=
+github.com/theopenlane/iam v0.7.3/go.mod h1:pudtCEtl1LkYltQLQn775K9Zqrp1VSnj3qOrjx6QQsQ=
 github.com/theopenlane/newman v0.1.2 h1:BKn1fjT4tU7AxonFjx+4QNAIq0B9ZlT2wM9cWgBA6Hs=
 github.com/theopenlane/newman v0.1.2/go.mod h1:Z6lRBzDVJeGl+Rh8hZ1fIvybBpm0AxuoP1Lj6wY8ylw=
 github.com/theopenlane/riverboat v0.0.7 h1:zT/H6ipMRLVYQEGLGgwUI6B1wXEBS0ARhkfzv+Pekwg=

internal/graphapi/clientschema/schema.graphql

@@ -27015,6 +27015,7 @@ type TFASettingCreatePayload {
 	Created tfaSetting
 	"""
 	tfaSetting: TFASetting!
+	tfaSecret: String
 	qrCode: String
 }
 """
@@ -27038,6 +27039,7 @@ type TFASettingUpdatePayload {
 	Updated tfaSetting
 	"""
 	tfaSetting: TFASetting!
+	tfaSecret: String
 	qrCode: String
 	recoveryCodes: [String!]
 }

internal/graphapi/query/tfasetting.graphql

@@ -8,6 +8,7 @@ mutation CreateTFASetting($input: CreateTFASettingInput!) {
       }
     }
     qrCode
+    tfaSecret
   }
 }
 
@@ -42,6 +43,7 @@ mutation UpdateTFASetting($input: UpdateTFASettingInput!) {
       verified
     }
     qrCode
+    tfaSecret
     recoveryCodes
   }
 }

internal/graphapi/schema/tfaextended.graphql

@@ -1,8 +1,10 @@
 extend type TFASettingUpdatePayload {
+    tfaSecret: String
     qrCode: String
     recoveryCodes: [String!]
 }
 
 extend type TFASettingCreatePayload {
+    tfaSecret: String
     qrCode: String
 }

internal/graphapi/tfahelpers.go

@@ -33,3 +33,22 @@ func (r *mutationResolver) generateTFAQRCode(ctx context.Context, settings *gene
 
 	return qrCode, nil
 }
+
+// getDecryptedTFASecret returns the TFA secret for the user, decrypted
+func (r *mutationResolver) getDecryptedTFASecret(ctx context.Context, settings *generated.TFASetting) (string, error) {
+	if !utils.CheckForRequestedField(ctx, "tfaSecret") {
+		return "", nil
+	}
+
+	if !settings.TotpAllowed || settings.TfaSecret == nil {
+		return "", nil
+	}
+
+	// generate a new QR code if it was requested
+	secret, err := r.db.TOTP.TOTPManager.TOTPDecryptedSecret(*settings.TfaSecret)
+	if err != nil {
+		return "", err
+	}
+
+	return secret, nil
+}

internal/graphapi/tfasetting_test.go

@@ -143,8 +143,10 @@ func (suite *GraphTestSuite) TestMutationCreateTFASetting() {
 
 			if *tc.input.TotpAllowed {
 				assert.NotEmpty(t, resp.CreateTFASetting.QRCode)
+				assert.NotEmpty(t, resp.CreateTFASetting.TfaSecret)
 			} else {
 				assert.Empty(t, resp.CreateTFASetting.QRCode)
+				assert.Empty(t, resp.CreateTFASetting.TfaSecret)
 			}
 
 			require.NotEmpty(t, resp.CreateTFASetting.TfaSetting.Owner)
@@ -264,6 +266,14 @@ func (suite *GraphTestSuite) TestMutationUpdateTFASetting() {
 				assert.Empty(t, resp.UpdateTFASetting.RecoveryCodes)
 			}
 
+			if tc.input.TotpAllowed == nil || *tc.input.TotpAllowed {
+				assert.NotEmpty(t, resp.UpdateTFASetting.QRCode)
+				assert.NotEmpty(t, resp.UpdateTFASetting.TfaSecret)
+			} else if !*tc.input.TotpAllowed { // settings were cleared
+				assert.Empty(t, resp.UpdateTFASetting.QRCode)
+				assert.Empty(t, resp.UpdateTFASetting.TfaSecret)
+			}
+
 			// make sure user setting is updated correctly
 			userSettings, err := tc.client.GetAllUserSettings(tc.ctx)
 			require.NoError(t, err)

internal/httpserve/serveropts/option.go

@@ -328,6 +328,8 @@ func WithOTP() ServerOption {
 					Version: 0,
 					Key:     s.Config.Settings.TOTP.Secret,
 				}),
+				totp.WithRecoveryCodeLength(s.Config.Settings.TOTP.RecoveryCodeLength),
+				totp.WithRecoveryCodeCount(s.Config.Settings.TOTP.RecoveryCodeCount),
 			}
 
 			// append redis client if enabled