Allow admins to enable twofactor_email for existing users

[nursoda]

At least via OCC (in the twofactorauth and/or twofactor_email namespace), ideally also via web interface.

Currently, there's only this occ command:

$ occ twofactorauth:disable USER email
The provider does not support this operation.
$ occ twofactorauth:enable USER email
The provider does not support this operation.

[BluePixel4k]

I would also like to see this feature for the email 2FA app. Essential is via occ and via the web interface would also be nice.

[mmccarn]

Here are some scripts I use for managing MFA settings.

Assumptions:

• NC/config/config.php
  • 'dbtype' => 'pgsql'
  • 'dbname' => 'nextcloud'
  • 'dbtableprefix' => 'oc_'
• ("UID") is the same as the user's email address (or at least looks like an email address)
• pgsql username is "postgres" and the current user is authorized to "sudo -u postgres"
• "SPECIFIED" domains on my system is the list of email domains I manage directly;
  • My user accounts have working emails and UIDs that look like their email
  • I have specified "gmail.com" and "hotmail.com" below.
  • Using a non-specified domain lists the uid and email so you can make sure it looks correct before forcing the update.

mfa.sh

• set or check email or totp mfa for a user
• "check" lists the relevant database entries then uses occ for confirmation

#!/bin/bash
if [[ -z "$2" ]]
then
    printf "Syntax:\n\n"
    printf "$0 [uid] [\"email\"|\"totp\"|\"check\"] "'[0|1] [-f]'"\n\n"
        printf "[uid]: select uid to alter\n"
    printf "[email|totp|check]: select MFA mechanism to set, or check existing status\n"
    printf "[0|1]: disable(0) or enable(1) the selected MFA mechanism\n"
    printf "[-f]: force update of a uid that does not match SPECIFIED DOMAINS\n\n"
    exit
fi
if ( [ "$2" != "email" ] && [ "$2" != "totp" ])
then
    if ( [ "$2" == "check" ])
    then
        printf "\n"
        sudo -u postgres psql \
        -d nextcloud \
        -c "select provider_id, uid, enabled \
        from oc_twofactor_providers \
        where uid = '$1';"

            sudo -u www-data php /var/www/nextcloud/occ \
            user:setting $1 settings \
        |sed 's/^[ -]*settings:/uid: '$1'/'

        sudo -u www-data php /var/www/nextcloud/occ \
                user:lastseen $1 \
                |sed 's/^.*last login/    - last login/'

    exit
    fi
fi
if ( [ "$3" != "0" ] && [ "$3" != "1" ])
then
    exit
fi
# SPECIFIED DOMAINS
if ! ( [[ "$1" == *"@gmail.com" ]] || [[ "$1" == *"@hotmail.com" ]] [[ "${4,,}" == "-f" ]])
then
    sudo -u www-data php /var/www/nextcloud/occ \
        user:info $1  \
        |egrep 'user_id|email|last_seen' \
        |sed -e 's/user_id/uid/' -e 's/^[ -]*//' \
        |tr "\n" "\t"
    printf "\n\nYou must specify \"-f\" to force the update for non-SPECIFIED domains\n\n"
    exit
fi
# do the actual update
echo "insert into oc_twofactor_providers (provider_id, uid, enabled) values ('$2','$1',$3) on conflict (provider_id,uid) do update set enabled = $3;" |(sudo -u postgres psql -d nextcloud -f -)

mfa-audit.sh

• list all users by the domain portion of uids that look like emails
• include 1 or 0 for each of these mfa providers
  • email
  • totp
  • backup_codes
  • nextcloud app
  • webauthn

#!/usr/bin/bash

sudo -u postgres psql \
    -d nextcloud \
    -c "select left(split_part(o.uid,'@',2),15) as domain, o.uid, \
    sum(case when o.provider_id='email' then o.enabled else 0 end) as \"email\", \
    sum(case when o.provider_id='totp' then o.enabled else 0 end) as \"totp\", \
    sum(case when o.provider_id='backup_codes' then o.enabled else 0 end) as \"codes\", \
    sum(case when o.provider_id='twofactor_nextcloud_notification' then o.enabled else 0 end) as \"nc app\", \
    sum(case when o.provider_id='webauthn' then o.enabled else 0 end) as \"webauthn\" \
    from (select u.uid, m.provider_id, m.enabled from oc_users u \
          left join oc_twofactor_providers m on u.uid = m.uid) o \
    group by o.uid order by domain, o.uid;"