Add 2fa information to workspace users admin (baserow#4184)

Author: stribny

backend/src/baserow/api/two_factor_auth/serializers.py

@@ -8,13 +8,14 @@
 
 class TwoFactorAuthSerializer(serializers.ModelSerializer):
     type = serializers.SerializerMethodField(read_only=True)
+    is_enabled = serializers.BooleanField(read_only=True)
 
     def get_type(self, instance):
         return instance.get_type().type
 
     class Meta:
         model = TwoFactorAuthProviderModel
-        fields = ["type"]
+        fields = ["type", "is_enabled"]
 
 
 class CreateTwoFactorAuthSerializer(serializers.ModelSerializer):

backend/src/baserow/api/workspaces/users/serializers.py

@@ -5,6 +5,7 @@
 from rest_framework import serializers
 
 from baserow.api.mixins import UnknownFieldRaisesExceptionSerializerMixin
+from baserow.api.two_factor_auth.serializers import TwoFactorAuthSerializer
 from baserow.api.user.registries import member_data_registry
 from baserow.core.generative_ai.registries import generative_ai_model_type_registry
 from baserow.core.models import WorkspaceUser
@@ -19,6 +20,7 @@ class WorkspaceUserSerializer(serializers.ModelSerializer):
         source="user.profile.to_be_deleted",
         help_text="True if user account is pending deletion.",
     )
+    two_factor_auth = serializers.SerializerMethodField()
 
     class Meta:
         model = WorkspaceUser
@@ -31,6 +33,7 @@ class Meta:
             "created_on",
             "user_id",
             "to_be_deleted",
+            "two_factor_auth",
         )
 
     @extend_schema_field(OpenApiTypes.STR)
@@ -41,6 +44,14 @@ def get_name(self, object):
     def get_email(self, object):
         return object.user.email
 
+    def get_two_factor_auth(self, object):
+        try:
+            provider = object.user.two_factor_auth_providers.all()[0]
+        except IndexError:
+            provider = None
+
+        return TwoFactorAuthSerializer(provider).data
+
 
 def get_member_data_types_request_serializer():
     """

backend/src/baserow/api/workspaces/users/views.py

@@ -1,4 +1,5 @@
 from django.db import transaction
+from django.db.models import Prefetch
 
 from drf_spectacular.openapi import OpenApiParameter, OpenApiTypes
 from drf_spectacular.utils import extend_schema
@@ -29,6 +30,7 @@
     ERROR_CANNOT_DELETE_YOURSELF_FROM_GROUP,
     ERROR_GROUP_USER_DOES_NOT_EXIST,
 )
+from baserow.core.db import specific_queryset
 from baserow.core.exceptions import (
     CannotDeleteYourselfFromWorkspace,
     UserInvalidWorkspacePermissionsError,
@@ -39,6 +41,7 @@
 from baserow.core.handler import CoreHandler
 from baserow.core.models import WorkspaceUser
 from baserow.core.operations import ListWorkspaceUsersWorkspaceOperationType
+from baserow.core.two_factor_auth.models import TwoFactorAuthProviderModel
 
 from .generated_serializers import ListWorkspaceUsersWithMemberDataSerializer
 from .serializers import (
@@ -123,8 +126,17 @@ def get(self, request, workspace_id, query_params):
             context=workspace,
         )
 
-        qs = WorkspaceUser.objects.filter(workspace=workspace).select_related(
-            "workspace", "user", "user__profile"
+        qs = (
+            WorkspaceUser.objects.filter(workspace=workspace)
+            .select_related("workspace", "user", "user__profile")
+            .prefetch_related(
+                Prefetch(
+                    "user__two_factor_auth_providers",
+                    queryset=specific_queryset(
+                        TwoFactorAuthProviderModel.objects.all()
+                    ),
+                )
+            )
         )
 
         qs = self.apply_search(search, qs)

backend/src/baserow/core/two_factor_auth/registries.py

@@ -94,13 +94,11 @@ class TOTPAuthProviderType(TwoFactorAuthProviderType):
     type = "totp"
     model_class = TOTPAuthProviderModel
     serializer_field_names = [
-        "enabled",
         "provisioning_url",
         "provisioning_qr_code",
         "backup_codes",
     ]
     serializer_field_overrides = {
-        "enabled": serializers.BooleanField(),
         "provisioning_url": serializers.CharField(),
         "provisioning_qr_code": serializers.CharField(),
         "backup_codes": serializers.ListField(child=serializers.CharField()),

backend/tests/baserow/api/groups/test_workspace_user_views.py

@@ -68,6 +68,39 @@ def test_list_workspace_users(api_client, data_fixture):
     assert "created_on" in response_json[1]
 
 
+@pytest.mark.django_db
+def test_list_workspace_users_2fa_enabled(api_client, data_fixture):
+    user_1, token_1 = data_fixture.create_user_and_token(email="test1@test.nl")
+    user_2, token_2 = data_fixture.create_user_and_token(email="test2@test.nl")
+    user_3, token_3 = data_fixture.create_user_and_token(email="test3@test.nl")
+    data_fixture.configure_base_totp(user_1)
+    data_fixture.configure_totp(user_2)
+
+    workspace_1 = data_fixture.create_workspace()
+    data_fixture.create_user_workspace(
+        workspace=workspace_1, user=user_1, permissions="ADMIN"
+    )
+    data_fixture.create_user_workspace(
+        workspace=workspace_1, user=user_2, permissions="MEMBER"
+    )
+    data_fixture.create_user_workspace(
+        workspace=workspace_1, user=user_3, permissions="MEMBER"
+    )
+
+    response = api_client.get(
+        reverse("api:workspaces:users:list", kwargs={"workspace_id": workspace_1.id}),
+        HTTP_AUTHORIZATION=f"JWT {token_1}",
+    )
+    response_json = response.json()
+    assert response.status_code == HTTP_200_OK
+    assert len(response_json) == 3
+    assert response_json[0]["two_factor_auth"]["type"] == "totp"
+    assert response_json[1]["two_factor_auth"]["type"] == "totp"
+    assert response_json[0]["two_factor_auth"]["is_enabled"] is False
+    assert response_json[1]["two_factor_auth"]["is_enabled"] is True
+    assert response_json[2]["two_factor_auth"] == {}
+
+
 @pytest.mark.django_db
 def test_update_workspace_user(api_client, data_fixture):
     user_1, token_1 = data_fixture.create_user_and_token(email="test1@test.nl")

backend/tests/baserow/api/two_factor_auth/test_two_factor_views.py

@@ -59,7 +59,7 @@ def test_configuration_2fa_view_totp_not_enabled(api_client, data_fixture):
     assert response.status_code == HTTP_200_OK
     assert response_json == {
         "backup_codes": [],
-        "enabled": False,
+        "is_enabled": False,
         "provisioning_qr_code": AnyStr(),
         "provisioning_url": AnyStr(),
         "type": "totp",
@@ -81,7 +81,7 @@ def test_configuration_2fa_view_totp_enabled(api_client, data_fixture):
     assert response.status_code == HTTP_200_OK
     assert response_json == {
         "backup_codes": [],
-        "enabled": True,
+        "is_enabled": True,
         "provisioning_qr_code": "",
         "provisioning_url": "",
         "type": "totp",
@@ -188,7 +188,7 @@ def test_configure_totp_2fa_view(api_client, data_fixture):
     assert response.status_code == HTTP_200_OK, response_json
     assert response_json == {
         "backup_codes": [],
-        "enabled": False,
+        "is_enabled": False,
         "provisioning_qr_code": AnyStr(),
         "provisioning_url": AnyStr(),
         "type": "totp",
@@ -214,7 +214,7 @@ def test_configure_totp_2fa_view(api_client, data_fixture):
     assert response.status_code == HTTP_200_OK, response_json
     assert response_json == {
         "backup_codes": AnyList(),
-        "enabled": True,
+        "is_enabled": True,
         "provisioning_qr_code": "",
         "provisioning_url": "",
         "type": "totp",
@@ -239,7 +239,7 @@ def test_configure_totp_2fa_view_confirmation_failed_invalidcode(
     assert response.status_code == HTTP_200_OK, response_json
     assert response_json == {
         "backup_codes": [],
-        "enabled": False,
+        "is_enabled": False,
         "provisioning_qr_code": AnyStr(),
         "provisioning_url": AnyStr(),
         "type": "totp",
@@ -295,7 +295,7 @@ def test_configure_totp_2fa_view_replaces_previous_configuration(
     assert response.status_code == HTTP_200_OK, response_json
     assert response_json == {
         "backup_codes": [],
-        "enabled": False,
+        "is_enabled": False,
         "provisioning_qr_code": AnyStr(),
         "provisioning_url": AnyStr(),
         "type": "totp",
@@ -316,7 +316,7 @@ def test_configure_totp_2fa_view_replaces_previous_configuration(
     assert response.status_code == HTTP_200_OK, response_json2
     assert response_json2 == {
         "backup_codes": [],
-        "enabled": False,
+        "is_enabled": False,
         "provisioning_qr_code": AnyStr(),
         "provisioning_url": AnyStr(),
         "type": "totp",

enterprise/web-frontend/modules/baserow_enterprise/membersPagePluginTypes.js

@@ -20,8 +20,8 @@ export class EnterpriseMembersPagePluginType extends MembersPagePluginType {
       context
     )
 
-    const roleColumnIndex = columns.findIndex(
-      (column) => column.key === 'permissions'
+    const insertBeforeColumnIndex = columns.findIndex(
+      (column) => column.key === 'two_factor_auth'
     )
     const highestRoleColumn = new CrudTableColumn(
       'highest_role_uid',
@@ -46,8 +46,8 @@ export class EnterpriseMembersPagePluginType extends MembersPagePluginType {
       {},
       20
     )
-    columns.splice(roleColumnIndex, 0, highestRoleColumn)
-    columns.splice(roleColumnIndex, 0, teamsColumn)
+    columns.splice(insertBeforeColumnIndex, 0, highestRoleColumn)
+    columns.splice(insertBeforeColumnIndex, 0, teamsColumn)
 
     return columns
   }

web-frontend/modules/core/components/auth/TOTPLogin.vue

@@ -133,8 +133,6 @@ export default {
     const values = reactive({
       values: {
         backupCode: '',
-        errorTitle: null,
-        errorDescription: null,
       },
     })
 
@@ -154,6 +152,8 @@ export default {
       enterBackupCode: false,
       loadingVerifyCode: false,
       loadingVerifyBackupCode: false,
+      errorTitle: null,
+      errorDescription: null,
     }
   },
   watch: {

web-frontend/modules/core/components/crudTable/fields/TwoFactorAuthField.vue

@@ -0,0 +1,29 @@
+<template>
+  <Badge
+    :color="row[column.key].is_enabled ? 'green' : 'neutral'"
+    :rounded="true"
+  >
+    <span v-if="row[column.key].is_enabled">
+      {{ $t('twoFactorAuthField.enabled') }}
+    </span>
+    <span v-else>
+      {{ $t('twoFactorAuthField.disabled') }}
+    </span>
+  </Badge>
+</template>
+
+<script>
+export default {
+  name: 'TwoFactorAuthField',
+  props: {
+    row: {
+      required: true,
+      type: Object,
+    },
+    column: {
+      required: true,
+      type: Object,
+    },
+  },
+}
+</script>

web-frontend/modules/core/components/settings/TwoFactorAuthSettings.vue

@@ -66,7 +66,7 @@ export default {
         const { data } = await TwoFactorAuthService(
           this.$client
         ).getConfiguration()
-        if (data.enabled) {
+        if (data.is_enabled) {
           this.state = 'enabled'
           this.provider = data
         }