feat: add managing mfa

server/resolvers/env.go

@@ -171,6 +171,7 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 	res.DisableSignUp = store[constants.EnvKeyDisableSignUp].(bool)
 	res.DisableStrongPassword = store[constants.EnvKeyDisableStrongPassword].(bool)
 	res.EnforceMultiFactorAuthentication = store[constants.EnvKeyEnforceMultiFactorAuthentication].(bool)
+	res.DisableMultiFactorAuthentication = store[constants.EnvKeyDisableMultiFactorAuthentication].(bool)
 
 	return res, nil
 }

server/resolvers/invite_members.go

@@ -16,6 +16,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
@@ -136,6 +137,15 @@ func InviteMembersResolver(ctx context.Context, params model.InviteMemberInput)
 			user.SignupMethods = constants.AuthRecipeMethodBasicAuth
 			verificationRequest.Identifier = constants.VerificationTypeForgotPassword
 
+			isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
+			if err != nil {
+				log.Debug("MFA service not enabled: ", err)
+				isMFAEnforced = false
+			}
+
+			if isMFAEnforced {
+				user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
+			}
 			verifyEmailURL = appURL + "/setup-password"
 
 		}

server/resolvers/login.go

@@ -104,8 +104,13 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		log.Debug("Email service not enabled: ", err)
 	}
 
+	isMFADisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMultiFactorAuthentication)
+	if err != nil || !isEmailServiceEnabled {
+		log.Debug("MFA service not enabled: ", err)
+	}
+
 	// If email service is not enabled continue the process in any way
-	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && isEmailServiceEnabled {
+	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && isEmailServiceEnabled && !isMFADisabled {
 		otp := utils.GenerateOTP()
 		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
 			Email:     user.Email,

server/resolvers/meta.go

@@ -107,6 +107,12 @@ func MetaResolver(ctx context.Context) (*model.Meta, error) {
 		isSignUpDisabled = true
 	}
 
+	isMultiFactorAuthenticationEnabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMultiFactorAuthentication)
+	if err != nil {
+		log.Debug("Failed to get Disable Multi Factor Authentication from environment variable", err)
+		isSignUpDisabled = true
+	}
+
 	metaInfo := model.Meta{
 		Version:                      constants.VERSION,
 		ClientID:                     clientID,
@@ -120,6 +126,7 @@ func MetaResolver(ctx context.Context) (*model.Meta, error) {
 		IsMagicLinkLoginEnabled:      !isMagicLinkLoginDisabled,
 		IsSignUpEnabled:              !isSignUpDisabled,
 		IsStrongPasswordEnabled:      !isStrongPasswordDisabled,
+		IsMultiFactorAuthEnabled:     !isMultiFactorAuthenticationEnabled,
 	}
 	return &metaInfo, nil
 }

server/resolvers/resend_otp.go

@@ -52,6 +52,12 @@ func ResendOTPResolver(ctx context.Context, params model.ResendOTPRequest) (*mod
 		return nil, errors.New("email service not enabled")
 	}
 
+	isMFADisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMultiFactorAuthentication)
+	if err != nil || isMFADisabled {
+		log.Debug("MFA service not enabled: ", err)
+		return nil, errors.New("multi factor authentication is disabled for this instance")
+	}
+
 	// get otp by email
 	otpData, err := db.Provider.GetOTPByEmail(ctx, params.Email)
 	if err != nil {

server/resolvers/reset_password.go

@@ -14,6 +14,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
@@ -84,6 +85,16 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 	signupMethod := user.SignupMethods
 	if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) {
 		signupMethod = signupMethod + "," + constants.AuthRecipeMethodBasicAuth
+
+		isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
+		if err != nil {
+			log.Debug("MFA service not enabled: ", err)
+			isMFAEnforced = false
+		}
+
+		if isMFAEnforced {
+			user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
+		}
 	}
 	user.SignupMethods = signupMethod
 

server/resolvers/signup.go

@@ -17,6 +17,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
@@ -161,6 +162,16 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		user.IsMultiFactorAuthEnabled = params.IsMultiFactorAuthEnabled
 	}
 
+	isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
+	if err != nil {
+		log.Debug("MFA service not enabled: ", err)
+		isMFAEnforced = false
+	}
+
+	if isMFAEnforced {
+		user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
+	}
+
 	user.SignupMethods = constants.AuthRecipeMethodBasicAuth
 	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
 	if err != nil {

server/resolvers/update_env.go

@@ -235,6 +235,7 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 	// in case SMTP is off but env is set to true
 	if updatedData[constants.EnvKeySmtpHost] == "" || updatedData[constants.EnvKeySmtpUsername] == "" || updatedData[constants.EnvKeySmtpPassword] == "" || updatedData[constants.EnvKeySenderEmail] == "" && updatedData[constants.EnvKeySmtpPort] == "" {
 		updatedData[constants.EnvKeyIsEmailServiceEnabled] = false
+		updatedData[constants.EnvKeyDisableMultiFactorAuthentication] = true
 		if !updatedData[constants.EnvKeyDisableEmailVerification].(bool) {
 			updatedData[constants.EnvKeyDisableEmailVerification] = true
 		}
@@ -248,6 +249,12 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		updatedData[constants.EnvKeyIsEmailServiceEnabled] = true
 	}
 
+	if !currentData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && !updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {
+		go db.Provider.UpdateUsers(ctx, map[string]interface{}{
+			"is_multi_factor_auth_enabled": true,
+		}, nil)
+	}
+
 	// check the roles change
 	if len(params.Roles) > 0 {
 		if len(params.DefaultRoles) > 0 {

server/resolvers/update_profile.go

@@ -104,6 +104,17 @@ func UpdateProfileResolver(ctx context.Context, params model.UpdateProfileInput)
 			}
 		}
 
+		isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
+		if err != nil {
+			log.Debug("MFA service not enabled: ", err)
+			isMFAEnforced = false
+		}
+
+		if isMFAEnforced && !refs.BoolValue(params.IsMultiFactorAuthEnabled) {
+			log.Debug("Cannot disable mfa service as it is enforced:")
+			return nil, errors.New("cannot disable multi factor authentication as it is enforced by organization")
+		}
+
 		user.IsMultiFactorAuthEnabled = params.IsMultiFactorAuthEnabled
 	}