28398 - Team Admin receives 403 Forbidden when attempting to reset OTP for another team member (#3493)

Author: seeker25

auth-api/src/auth_api/resources/v1/user.py

@@ -135,7 +135,7 @@ def post_user():
     return response, status
 
 
-@bp.route("/<path:username>/otp", methods=["DELETE", "OPTIONS"])
+@bp.route("/<path:username>/otp/<int:org_id>", methods=["DELETE", "OPTIONS"])
 @cross_origin(origins="*", methods=["DELETE"])
 @_jwt.has_one_of_roles(
     [
@@ -145,7 +145,7 @@ def post_user():
         Role.MANAGE_RESET_OTP.value,
     ]
 )
-def delete_user_otp(username):
+def delete_user_otp(username, org_id):
     """Delete/Reset the OTP of user profile associated with the provided username."""
     try:
         user = UserService.find_by_username(username)
@@ -155,7 +155,7 @@ def delete_user_otp(username):
             response, status = {"Only BCEID users has OTP", HTTPStatus.BAD_REQUEST}
         else:
             origin_url = request.environ.get("HTTP_ORIGIN", "localhost")
-            UserService.delete_otp_for_user(username, origin_url=origin_url)
+            UserService.delete_otp_for_user(user_name=username, org_id=org_id, origin_url=origin_url)
             response, status = "", HTTPStatus.NO_CONTENT
     except BusinessException as exception:
         response, status = {"code": exception.code, "message": exception.message}, exception.status_code

auth-api/src/auth_api/services/user.py

@@ -238,13 +238,9 @@ def _create_new_user_and_membership(db_username, kc_user, membership, org_id):
 
     @staticmethod
     @user_context
-    def delete_otp_for_user(user_name, origin_url: str = None, **kwargs):
+    def delete_otp_for_user(user_name, org_id, origin_url: str = None, **kwargs):
         """Reset the OTP of the user."""
-        # TODO - handle when the multiple teams implemented for bceid..
         user = UserModel.find_by_username(user_name)
-        membership = MembershipModel.find_membership_by_userid(user.id)
-        org_id = membership.org_id
-
         user_from_context: UserContext = kwargs["user_context"]
         if not user_from_context.has_role(Role.MANAGE_RESET_OTP.value):
             check_auth(org_id=org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))

auth-api/tests/unit/api/test_cors_preflight.py

@@ -260,7 +260,7 @@ def test_preflight_user(app, client, jwt, session):
     assert rv.status_code == HTTPStatus.OK
     assert_access_control_headers(rv, "*", "POST")
 
-    rv = client.options("/api/v1/users/USERNAME/otp", headers={"Access-Control-Request-Method": "DELETE"})
+    rv = client.options("/api/v1/users/USERNAME/otp/1", headers={"Access-Control-Request-Method": "DELETE"})
     assert rv.status_code == HTTPStatus.OK
     assert_access_control_headers(rv, "*", "DELETE")
 

auth-api/tests/unit/api/test_user.py

@@ -895,7 +895,7 @@ def test_delete_otp_for_user(client, jwt, session):  # pylint:disable=unused-arg
 
     # staff with manage accounts otp reset
     headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_manage_accounts_role)
-    rv = client.delete(f"api/v1/users/{user.username}/otp", headers=headers)
+    rv = client.delete(f"api/v1/users/{user.username}/otp/{org.id}", headers=headers)
     assert rv.status_code == HTTPStatus.NO_CONTENT
 
     user1 = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
@@ -904,19 +904,19 @@ def test_delete_otp_for_user(client, jwt, session):  # pylint:disable=unused-arg
 
     # staff with basic access cant do otp reset
     headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_role)
-    rv = client.delete(f"api/v1/users/{user.username}/otp", headers=headers)
+    rv = client.delete(f"api/v1/users/{user.username}/otp/{org.id}", headers=headers)
     assert rv.status_code == HTTPStatus.UNAUTHORIZED
 
     #  admin can do otp reset
-    rv = client.delete(f"api/v1/users/{user.username}/otp", headers=admin_headers)
+    rv = client.delete(f"api/v1/users/{user.username}/otp/{org.id}", headers=admin_headers)
     assert rv.status_code == HTTPStatus.NO_CONTENT
 
     #  coordinator can do otp reset
-    rv = client.delete(f"api/v1/users/{user.username}/otp", headers=coordinator_headers)
+    rv = client.delete(f"api/v1/users/{user.username}/otp/{org.id}", headers=coordinator_headers)
     assert rv.status_code == HTTPStatus.NO_CONTENT
 
     #  user can not do otp reset
-    rv = client.delete(f"api/v1/users/{user.username}/otp", headers=user_headers)
+    rv = client.delete(f"api/v1/users/{user.username}/otp/{org.id}", headers=user_headers)
     assert rv.status_code == HTTPStatus.FORBIDDEN
 
     # another org admin cant do
@@ -925,7 +925,7 @@ def test_delete_otp_for_user(client, jwt, session):  # pylint:disable=unused-arg
     factory_membership_model(admin_user1.id, org1.id)
     admin_claims = TestJwtClaims.get_test_real_user(admin_user1.keycloak_guid)
     admin1_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
-    rv = client.delete(f"api/v1/users/{user.username}/otp", headers=admin1_headers)
+    rv = client.delete(f"api/v1/users/{user.username}/otp/{org.id}", headers=admin1_headers)
     assert rv.status_code == HTTPStatus.FORBIDDEN
 
 

auth-api/tests/unit/services/test_user.py

@@ -180,7 +180,7 @@ def test_delete_otp_for_user(session, auth_mock, keycloak_mock, monkeypatch):
     factory_membership_model(user.id, org.id)
 
     patch_token_info(admin_claims, monkeypatch)
-    UserService.delete_otp_for_user(user.username)
+    UserService.delete_otp_for_user(user.username, org.id)
     user1 = kc_service.get_user_by_username(request.user_name)
     assert "CONFIGURE_TOTP" in json.loads(user1.value()).get("requiredActions")
 

auth-web/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "auth-web",
-  "version": "2.10.19",
+  "version": "2.10.20",
   "appName": "Auth Web",
   "sbcName": "SBC Common Components",
   "private": true,

auth-web/package.json

@@ -280,7 +280,7 @@ export default class MemberDataTable extends Vue {
   private readonly currentMembership!: Member
   private readonly currentOrganization!: Organization
   private readonly getRoleInfo!: () => Promise<RoleInfo[]>
-  private readonly resetOTPAuthenticator!: (username: string) => any
+  private readonly resetOTPAuthenticator!: (username: string, org_id: number) => any
   private readonly roleInfos!: RoleInfo[]
   private readonly SNACKBAR_TIMEOUT: number = 3000 // milliseconds
   private confirmResetAuthDialog = false
@@ -582,7 +582,7 @@ export default class MemberDataTable extends Vue {
 
   private async resetAuthenticator () {
     try {
-      await this.resetOTPAuthenticator(this.selectedUserForReset?.user?.username)
+      await this.resetOTPAuthenticator(this.selectedUserForReset?.user?.username, this.currentOrganization?.id)
       this.showResetSnackBar = true
       this.$refs.resetAuthenticatorDialog.close()
       // wait for the SNACKBAR_TIMEOUT value before unsetting the selectedUserForReset,

auth-web/src/components/auth/account-settings/team-management/MemberDataTable.vue

@@ -81,7 +81,7 @@ export const useTransactions = () => {
       console.error('Failed to get transaction list.', error)
     }
     transactions.loading = false
-  }, 1000, { leading: true, trailing: true }) as (filterField?: string, value?: any, viewAll?: boolean) => Promise<void>
+  }, 2000, { leading: true, trailing: true }) as (filterField?: string, value?: any, viewAll?: boolean) => Promise<void>
 
   const getTransactionReport = async () => {
     try {

auth-web/src/composables/transactions-factory.ts

@@ -113,8 +113,8 @@ export default class UserService {
     return axios.get(`${ConfigHelper.getAuthAPIUrl()}/users/${encodeURIComponent(userGuid)}/affidavits`, { params })
   }
 
-  static async resetOTPAuthenticator (username: string): Promise<AxiosResponse<any>> {
-    return axios.delete(`${ConfigHelper.getAuthAPIUrl()}/users/${username}/otp`)
+  static async resetOTPAuthenticator (username: string, orgId: number): Promise<AxiosResponse<any>> {
+    return axios.delete(`${ConfigHelper.getAuthAPIUrl()}/users/${username}/otp/${orgId}`)
   }
 
   static getUserAccountSettings (currentUserSub: string): Promise<AxiosResponse<UserSettings[]>> {