twofactor_email
twofactor_email copied to clipboard
nursoda
Allow admins to enable twofactor_email for existing users
At least via OCC (in the twofactorauth and/or twofactor_email namespace), ideally also via web interface.
Currently, there's only this occ command:
$ occ twofactorauth:disable USER email
The provider does not support this operation.
$ occ twofactorauth:enable USER email
The provider does not support this operation.
I would also like to see this feature for the email 2FA app. Essential is via occ and via the web interface would also be nice.
Here are some scripts I use for managing MFA settings.
Assumptions:
- NC/config/config.php
- 'dbtype' => 'pgsql'
- 'dbname' => 'nextcloud'
- 'dbtableprefix' => 'oc_'
- ("UID") is the same as the user's email address (or at least looks like an email address)
- pgsql username is "postgres" and the current user is authorized to "sudo -u postgres"
- "SPECIFIED" domains on my system is the list of email domains I manage directly;
- My user accounts have working emails and UIDs that look like their email
- I have specified "gmail.com" and "hotmail.com" below.
- Using a non-specified domain lists the uid and email so you can make sure it looks correct before forcing the update.
mfa.sh
- set or check email or totp mfa for a user
- "check" lists the relevant database entries then uses occ for confirmation
#!/bin/bash
if [[ -z "$2" ]]
then
printf "Syntax:\n\n"
printf "$0 [uid] [\"email\"|\"totp\"|\"check\"] "'[0|1] [-f]'"\n\n"
printf "[uid]: select uid to alter\n"
printf "[email|totp|check]: select MFA mechanism to set, or check existing status\n"
printf "[0|1]: disable(0) or enable(1) the selected MFA mechanism\n"
printf "[-f]: force update of a uid that does not match SPECIFIED DOMAINS\n\n"
exit
fi
if ( [ "$2" != "email" ] && [ "$2" != "totp" ])
then
if ( [ "$2" == "check" ])
then
printf "\n"
sudo -u postgres psql \
-d nextcloud \
-c "select provider_id, uid, enabled \
from oc_twofactor_providers \
where uid = '$1';"
sudo -u www-data php /var/www/nextcloud/occ \
user:setting $1 settings \
|sed 's/^[ -]*settings:/uid: '$1'/'
sudo -u www-data php /var/www/nextcloud/occ \
user:lastseen $1 \
|sed 's/^.*last login/ - last login/'
exit
fi
fi
if ( [ "$3" != "0" ] && [ "$3" != "1" ])
then
exit
fi
# SPECIFIED DOMAINS
if ! ( [[ "$1" == *"@gmail.com" ]] || [[ "$1" == *"@hotmail.com" ]] [[ "${4,,}" == "-f" ]])
then
sudo -u www-data php /var/www/nextcloud/occ \
user:info $1 \
|egrep 'user_id|email|last_seen' \
|sed -e 's/user_id/uid/' -e 's/^[ -]*//' \
|tr "\n" "\t"
printf "\n\nYou must specify \"-f\" to force the update for non-SPECIFIED domains\n\n"
exit
fi
# do the actual update
echo "insert into oc_twofactor_providers (provider_id, uid, enabled) values ('$2','$1',$3) on conflict (provider_id,uid) do update set enabled = $3;" |(sudo -u postgres psql -d nextcloud -f -)
mfa-audit.sh
- list all users by the domain portion of uids that look like emails
- include 1 or 0 for each of these mfa providers
- totp
- backup_codes
- nextcloud app
- webauthn
#!/usr/bin/bash
sudo -u postgres psql \
-d nextcloud \
-c "select left(split_part(o.uid,'@',2),15) as domain, o.uid, \
sum(case when o.provider_id='email' then o.enabled else 0 end) as \"email\", \
sum(case when o.provider_id='totp' then o.enabled else 0 end) as \"totp\", \
sum(case when o.provider_id='backup_codes' then o.enabled else 0 end) as \"codes\", \
sum(case when o.provider_id='twofactor_nextcloud_notification' then o.enabled else 0 end) as \"nc app\", \
sum(case when o.provider_id='webauthn' then o.enabled else 0 end) as \"webauthn\" \
from (select u.uid, m.provider_id, m.enabled from oc_users u \
left join oc_twofactor_providers m on u.uid = m.uid) o \
group by o.uid order by domain, o.uid;"
