Enable/disable MFA button

package.json

@@ -52,7 +52,7 @@
   "dependencies": {
     "@curveball/accesslog": "^1.0.0",
     "@curveball/bodyparser": "^1.0.0",
-    "@curveball/browser": "^1.1.4",
+    "@curveball/browser": "^1.1.6",
     "@curveball/controller": "^1.0.0",
     "@curveball/core": "^1.0.0",
     "@curveball/cors": "^1.0.0",

schemas/principal-identity-patch.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://curveballjs.org/schemas/a12nserver/principal-identity-patch.json",
+  "type": "object",
+  "title": "PrincipalIdentityPatch",
+  "description": "Patch format for the principal-identity resource",
+
+  "required": ["isMfa"],
+  "additionalProperties": false,
+
+  "properties": {
+    "isMfa": {
+      "type": "string"
+    }
+  }
+}

src/api-types.ts

@@ -289,6 +289,19 @@ export interface PrincipalEdit {
  * and run json-schema-to-typescript to regenerate this file.
  */
 
+/**
+ * Patch format for the principal-identity resource
+ */
+export interface PrincipalIdentityPatch {
+  isMfa: string;
+}
+/* eslint-disable */
+/**
+ * This file was automatically generated by json-schema-to-typescript.
+ * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file,
+ * and run json-schema-to-typescript to regenerate this file.
+ */
+
 /**
  * This is the form submitted by the user when they are verifiying an identity.
  */

src/principal-identity/controller/item.ts

@@ -3,6 +3,7 @@ import { Context } from '@curveball/core';
 import * as hal from '../formats/hal.js';
 import { Forbidden } from '@curveball/http-errors';
 import * as services from '../../services.js';
+import { PrincipalIdentityPatch } from '../../api-types.js';
 
 class PrincipalIdentityItem extends Controller {
 
@@ -24,6 +25,30 @@ class PrincipalIdentityItem extends Controller {
 
   }
 
+  async patch(ctx: Context) {
+
+    ctx.request.validate<PrincipalIdentityPatch>('https://curveballjs.org/schemas/a12nserver/principal-identity-patch.json');
+    const principalService = new services.principal.PrincipalService(ctx.privileges);
+    const principal = await principalService.findByExternalId(ctx.params.id);
+
+    const identity = await services.principalIdentity.findByExternalId(principal,ctx.params.identityId);
+
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    }
+
+    const isMfa = !!(+ctx.request.body.isMfa);
+    identity.isMfa = isMfa;
+    await services.principalIdentity.update(identity);
+
+    if (ctx.accepts('html')) {
+      ctx.redirect(303, identity.href);
+    } else {
+      ctx.status = 204;
+    }
+
+  }
+
 }
 
 export default new PrincipalIdentityItem();

src/principal-identity/formats/hal.ts

@@ -72,6 +72,20 @@ export function item(principal: Principal, identity: PrincipalIdentity): HalReso
         target: `${identity.href}/verify`,
       }
     };
+    if (identity.verifiedAt) {
+      res._templates['set-mfa'] = {
+        method: 'PATCH',
+        title: identity.isMfa ? 'Disable for MFA' : 'Enable for MFA',
+        target: `${identity.href}`,
+        properties: [
+          {
+            name: 'isMfa',
+            type: 'hidden',
+            value: identity.isMfa ? '0' : '1',
+          }
+        ]
+      };
+    };
   }
 
   return res;

src/principal-identity/service.ts

@@ -103,6 +103,21 @@ export async function create(identity: NewPrincipalIdentity): Promise<PrincipalI
   };
 
 }
+
+export async function update(identity: PrincipalIdentity): Promise<void> {
+
+  await knex('principal_identities')
+    .update({
+      modified_at: Date.now(),
+      is_primary: +identity.isPrimary,
+      is_mfa: +identity.isMfa,
+      label: identity.label,
+    }).where({
+      id: identity.id,
+    });
+
+}
+
 export async function markVerified(identity: PrincipalIdentity): Promise<void> {
 
   await knex('principal_identities')