MFA: TOTP: Add a non-administrative destory call, use non-administrative calls in the UI

[the-glu]

Hello,

The UI to setup MFA with TOTP is using administrative calls, which can be can issue since entities with restricted rights must have permission to call those endpoints, allowing then to add or remove TOTP to any entity.

This PR change the UI to use the non-administrative endpoints who can be granted to anyone since they does not pose a security risk.

Since the 'destroy' endpoint exists only in a administrative version, this PR also add a new non-administrative endpoint, like the 'generate' endpoint.

[hashicorp-cla]

All committers have signed the CLA.

[the-glu]

Hello,

Any feedback for this PR? It would be great to have this feature :)

Thanks,

[alexleach]

I too was looking to allow a non-administrative user to generate their own TOTP method using the UI, so would like to see this included 😄

Having just had a browse through the file changes, should the default policy also grant access to the identity/mfa/method/totp/generate and identity/mfa/method/totp/destroy endpoints? e.g.

# Allow a user to generate their own TOTP QR code / method
path "identity/mfa/method/totp/generate" {
  capabilities = ["create", "update"]
}

# Allow a user to destroy their own TOTP method
path "identity/mfa/method/totp/destroy" {
  capabilities = ["create", "update"]
}

Otherwise, I think there should be documentation about the required user policy permissions somewhere.

I've also noticed a typo on the totp.mdc documentation page. Line 178 doesn't need my_totp/ in the URL. I'll add a comment on it.

[oyvsi]

non-administrative calls in the UI was added in https://github.com/hashicorp/vault/pull/17932, but non-administrative destroy is still missing.

[heatherezell]

Hi folks - we are discussing this internally with our engineering teams and product owners. I apologize for the delay and want to say that we appreciate your patience. :)