Skip to content

Commit

Permalink
Added Two-factor authentication API documentation
Browse files Browse the repository at this point in the history 
Ticket: ENT-10838
Signed-off-by: Ihor Aleksandrychiev <[email protected]>
  • Loading branch information
@aleksandrychev
aleksandrychev committed Aug 7, 2024
1 parent 772dcf8 commit 0215d80
Show file tree
Hide file tree
Showing 2 changed files with 249 additions and 3 deletions.
239 changes: 239 additions & 0 deletions api/enterprise-api-ref/two-factor-authentication.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,239 @@
---
layout: default
title: Two-factor authentication API
published: true
---
The Two-factor authentication API enables users to add an extra layer of security to their accounts
by requiring a TOTP (time-based one-time password) in addition to their primary credentials.

Once two-factor authentication is enabled, requests to obtain an OAuth token, change a password, or
disable two-factor authentication must include an additional header: Cf-2fa-Token: code.
Basic authentication also requires this header each time it is used.

Currently, only TOTP (Time-based One-Time Password) two-factor authentication
is supported, providing users with a time-sensitive code for enhanced security.

## Start two-factor authentication configuration

First, you need to request two-factor authentication secrets to complete the configuration.
The secret token should be added to a third-party authentication app such as Google Authenticator or Authy.
A 6-digit code should then be obtained from the application to complete the action.

**URI:** https://hub.cfengine.com/api/2fa/totp/configure

**Method:** GET

**Example request (curl):**

```console
curl --user <username>:<password> \
-X GET \
https://hub.cfengine.com/api/2fa/totp/configure
```

**Successful response example:**

```
HTTP 200 Ok
{
"secret": "SYSZJJVQUIOG5ITA6HPH5PZWLZ3VUP52",
"2faUrl": "otpauth://totp/Mission%20Portal:admin?secret=SYSZJJVQUIOG5ITA6HPH5PZWLZ3VUP52&issuer=Mission%20Portal&algorithm=SHA1&digits=6&period=30",
"algorithm": "sha1",
"digits": 6,
"period": 30,
"issuer": "Mission Portal",
"holder": "admin"
}
```

**Responses:**

| HTTP response code | Description |
|---------------------------|----------------------------------------|
| 200 OK | 2FA configuration successfully created |
| 500 Internal server error | Internal server error |



## Complete two-factor authentication configuration

**URI:** https://hub.cfengine.com/api/2fa/totp/configure

**Method:** POST

**Parameters:**

* **code** *(string)*
6-digit code from the authentication application

**Example request (curl):**

```console
curl --user <username>:<password> \
-X POST \
https://hub.cfengine.com/api/2fa/totp/configure \
--data-raw '{"code": "000000"}'
```

**Successful response example:**

```
HTTP 200 Ok
2FA successfully enabled for this user.
```

**Responses:**

| HTTP response code | Description |
|---------------------------|-----------------------------|
| 200 OK | 2FA successfully configured |
| 400 Bad request | 2FA verification failed. |
| 500 Internal server error | Internal server error |


## Disable two-factor authentication for the current user

**URI:** https://hub.cfengine.com/api/2fa/totp/disable

**Method:** POST

**Headers:**

* **Cf-2FA-Token** *(string)*
6-digit code from the authentication application

**Example request (curl):**

```console
curl --user <username>:<password> \
-X POST \
https://hub.cfengine.com/api/2fa/totp/disable \
--header 'Cf-2FA-Token: 537987'
```

**Successful response example:**

```
HTTP 200 Ok
2FA successfully disabled for this user.
```

**Responses:**

| HTTP response code | Description |
|---------------------------|----------------------------------------|
| 200 OK | 2FA successfully disabled |
| 401 Unauthorized | Invalid two-factor authentication code |
| 409 Conflict | 2FA is not enabled for this user |
| 500 Internal server error | Internal server error |

## Disable two-factor authentication for other users

In case if a regular user loses access to the authentication application, specific users (admin role by default)
with the `Disable 2FA for any user` RBAC role (alias 2fa.any-user.disable) will be able to
disable two-factor authentication for that user.

**URI:** https://hub.cfengine.com/api/2fa/totp/disable/user/:username

**Method:** POST

**Example request (curl):**

```console
curl --user <username>:<password> \
-X POST \
https://hub.cfengine.com/api/2fa/totp/disable/user/giorgio
```

**Successful response example:**

```
HTTP 200 Ok
2FA successfully disabled for `giorgio` user.
```

**Responses:**

| HTTP response code | Description |
|---------------------------|----------------------------------------|
| 200 OK | 2FA successfully disabled |
| 401 Unauthorized | Invalid two-factor authentication code |
| 409 Conflict | 2FA is not enabled for this user |
| 500 Internal server error | Internal server error |



## Verify two-factor authentication code

This API endpoint verifies the authentication code. If OAuth authentication is used and the code is valid,
your authorization token will be flagged as verified for 5 minutes. During this 5-minute period after successful
verification, you will not need to provide the authorization code from the authentication application.

**URI:** https://hub.cfengine.com/api/2fa/totp/verify

**Method:** POST

**Parameters:**

* **code** *(string)*
6-digit code from the authentication application

**Example request (curl):**

```console
curl --user <username>:<password> \
-X POST \
https://hub.cfengine.com/api/2fa/totp/veify \
--data-raw '{"code": "000000"}'
```

**Successful response example:**

```
HTTP 200 Ok
2FA successfully verified.
```

**Responses:**

| HTTP response code | Description |
|---------------------------|----------------------------------|
| 200 OK | 2FA successfully verified |
| 409 Conflict | 2FA is not enabled for this user |
| 500 Internal server error | Internal server error |


## Check if verification is needed

This API endpoint checks if 2FA verification is needed. Only needed for OAuth authentication method
as for the Basic authentication is needed every time.

**URI:** https://hub.cfengine.com/api/2fa/verification-needed

**Method:** GET


**Example request (curl):**

```console
curl -X GET \
https://hub.cfengine.com/api/2fa/verification-needed \
--header 'Authorization: Bearer 627135e5a0b142cfdc738c38ad0c0067bc0960e5'
```

**Successful response example:**

```
HTTP 200 Ok
{
"result": true
}
```

**Responses:**

| HTTP response code | Description |
|---------------------------|----------------------------------|
| 200 OK | 2FA successfully checked |
| 409 Conflict | 2FA is not enabled for this user |
| 500 Internal server error | Internal server error |
13 changes: 10 additions & 3 deletions api/enterprise-api-ref/users-rbac.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ API call allowed only for administrator.
"admin",
"cf_remoteagent"
],
"external": false
"external": false,
"two_factor_enabled": true
},
{
"id": "admin",
Expand All @@ -50,7 +51,8 @@ API call allowed only for administrator.
"admin",
"cf_remoteagent"
],
"external": false
"external": false,
"two_factor_enabled": false
},
{
"id": "user_1",
Expand All @@ -74,6 +76,8 @@ API call allowed only for administrator.
List of assigned RBAC roles.
* **external**
Is user from external source (LDAP/AD).
* **two_factor_enabled**
Is a user has enabled two-factor authentication

**Example usage:** `Example: Listing users`

Expand Down Expand Up @@ -105,7 +109,8 @@ API call allowed only for administrator.
"linux_team"
],
"external": false,
"time_zone": "Europe/Oslo"
"time_zone": "Europe/Oslo",
"two_factor_enabled": false
}
]
}
Expand All @@ -123,6 +128,8 @@ API call allowed only for administrator.
Is user from external source (LDAP/AD).
* **time_zone**
Time zone
* **two_factor_enabled**
Is a user has enabled two-factor authentication

**Example usage:** `Example: Retrieving a user`

Expand Down

0 comments on commit 0215d80

Please sign in to comment.