feat(users): Add force_two_factor_auth environment variable (#6466)

config/config.example.toml

@@ -396,6 +396,7 @@ password_validity_in_days = 90       # Number of days after which password shoul
 two_factor_auth_expiry_in_secs = 300 # Number of seconds after which 2FA should be done again if doing update/change from inside
 totp_issuer_name = "Hyperswitch"     # Name of the issuer for TOTP
 base_url = ""                        # Base url used for user specific redirects and emails
+force_two_factor_auth = false        # Whether to force two factor authentication for all users
 
 #tokenization configuration which describe token lifetime and payment method for specific connector
 [tokenization]

config/deployments/integration_test.toml

@@ -139,6 +139,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Integ"
 base_url = "https://integ.hyperswitch.io"
+force_two_factor_auth = false
 
 [frm]
 enabled = true
@@ -395,4 +396,4 @@ connector_list = ""
 card_networks = "Visa, AmericanExpress, Mastercard"
 
 [network_tokenization_supported_connectors]
-connector_list = "cybersource"
+connector_list = "cybersource"

config/deployments/production.toml

@@ -146,6 +146,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Production"
 base_url = "https://live.hyperswitch.io"
+force_two_factor_auth = false
 
 [frm]
 enabled = false
@@ -409,4 +410,4 @@ connector_list = ""
 card_networks = "Visa, AmericanExpress, Mastercard"
 
 [network_tokenization_supported_connectors]
-connector_list = "cybersource"
+connector_list = "cybersource"

config/deployments/sandbox.toml

@@ -146,6 +146,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Sandbox"
 base_url = "https://app.hyperswitch.io"
+force_two_factor_auth = false
 
 [frm]
 enabled = true

config/development.toml

@@ -318,6 +318,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch Dev"
 base_url = "http://localhost:8080"
+force_two_factor_auth = false
 
 [bank_config.eps]
 stripe = { banks = "arzte_und_apotheker_bank,austrian_anadi_bank_ag,bank_austria,bankhaus_carl_spangler,bankhaus_schelhammer_und_schattera_ag,bawag_psk_ag,bks_bank_ag,brull_kallmus_bank_ag,btv_vier_lander_bank,capital_bank_grawe_gruppe_ag,dolomitenbank,easybank_ag,erste_bank_und_sparkassen,hypo_alpeadriabank_international_ag,hypo_noe_lb_fur_niederosterreich_u_wien,hypo_oberosterreich_salzburg_steiermark,hypo_tirol_bank_ag,hypo_vorarlberg_bank_ag,hypo_bank_burgenland_aktiengesellschaft,marchfelder_bank,oberbank_ag,raiffeisen_bankengruppe_osterreich,schoellerbank_ag,sparda_bank_wien,volksbank_gruppe,volkskreditbank_ag,vr_bank_braunau" }

config/docker_compose.toml

@@ -56,6 +56,7 @@ password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch"
 base_url = "http://localhost:8080"
+force_two_factor_auth = false
 
 [locker]
 host = ""

crates/api_models/src/user.rs

@@ -211,6 +211,7 @@ pub struct TwoFactorAuthStatusResponseWithAttempts {
 #[derive(Debug, serde::Deserialize, serde::Serialize)]
 pub struct TwoFactorStatus {
     pub status: Option<TwoFactorAuthStatusResponseWithAttempts>,
+    pub is_skippable: bool,
 }
 
 #[derive(Debug, serde::Deserialize, serde::Serialize)]

crates/router/src/configs/settings.rs

@@ -556,6 +556,7 @@ pub struct UserSettings {
     pub two_factor_auth_expiry_in_secs: i64,
     pub totp_issuer_name: String,
     pub base_url: String,
+    pub force_two_factor_auth: bool,
 }
 
 #[derive(Debug, Deserialize, Clone)]

crates/router/src/core/user.rs

@@ -1319,7 +1319,7 @@ pub async fn list_user_roles_details(
     ))
     .await
     .change_context(UserErrors::InternalServerError)
-    .attach_printable("Failed to construct proifle map")?
+    .attach_printable("Failed to construct profile map")?
     .into_iter()
     .map(|profile| (profile.get_id().to_owned(), profile.profile_name))
     .collect::<HashMap<_, _>>();
@@ -1927,7 +1927,7 @@ pub async fn terminate_two_factor_auth(
         .change_context(UserErrors::InternalServerError)?
         .into();
 
-    if !skip_two_factor_auth {
+    if state.conf.user.force_two_factor_auth || !skip_two_factor_auth {
         if !tfa_utils::check_totp_in_redis(&state, &user_token.user_id).await?
             && !tfa_utils::check_recovery_code_in_redis(&state, &user_token.user_id).await?
         {
@@ -1997,9 +1997,12 @@ pub async fn check_two_factor_auth_status_with_attempts(
         .await
         .change_context(UserErrors::InternalServerError)?
         .into();
+
+    let is_skippable = state.conf.user.force_two_factor_auth.not();
     if user_from_db.get_totp_status() == TotpStatus::NotSet {
         return Ok(ApplicationResponse::Json(user_api::TwoFactorStatus {
             status: None,
+            is_skippable,
         }));
     };
 
@@ -2018,6 +2021,7 @@ pub async fn check_two_factor_auth_status_with_attempts(
             totp,
             recovery_code,
         }),
+        is_skippable,
     }))
 }
 

loadtest/config/development.toml

@@ -35,6 +35,7 @@ jwt_secret = "secret"
 password_validity_in_days = 90
 two_factor_auth_expiry_in_secs = 300
 totp_issuer_name = "Hyperswitch"
+force_two_factor_auth = false
 
 [locker]
 host = ""