Add option for administrators to disable MFA for users

Signed-off-by: Tim Goudriaan <tim@codedmonkey.com>

Author: codedmonkey

src/Controller/Dashboard/DashboardUserController.php

@@ -9,6 +9,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Config\Actions;
 use EasyCorp\Bundle\EasyAdminBundle\Config\Crud;
 use EasyCorp\Bundle\EasyAdminBundle\Controller\AbstractCrudController;
+use EasyCorp\Bundle\EasyAdminBundle\Field\BooleanField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\ChoiceField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\EmailField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
@@ -68,5 +69,8 @@ public function configureFields(string $pageName): iterable
             ->renderExpanded()
             ->allowMultipleChoices()
             ->setSortable(false);
+        yield BooleanField::new('totpAuthenticationEnabled', 'Multi-factor authentication')
+            ->setHelp('form.user.help.totp-authentication-enabled')
+            ->onlyOnForms();
     }
 }

src/Doctrine/Entity/User.php

@@ -182,6 +182,15 @@ public function isTotpAuthenticationEnabled(): bool
         return null !== $this->totpSecret;
     }
 
+    public function setTotpAuthenticationEnabled(bool $enabled): void
+    {
+        if (!$this->isTotpAuthenticationEnabled() || $enabled) {
+            throw new \LogicException(sprintf('TOTP authentication can not be enabled through the `%s` method.', __METHOD__));
+        }
+
+        $this->totpSecret = null;
+    }
+
     public function getTotpAuthenticationUsername(): string
     {
         return $this->username;

src/EasyAdmin/MfaAuthenticationConfigurator.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CodedMonkey\Dirigent\EasyAdmin;
+
+use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use EasyCorp\Bundle\EasyAdminBundle\Context\AdminContext;
+use EasyCorp\Bundle\EasyAdminBundle\Contracts\Field\FieldConfiguratorInterface;
+use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
+use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
+
+class MfaAuthenticationConfigurator implements FieldConfiguratorInterface
+{
+    public function supports(FieldDto $field, EntityDto $entityDto): bool
+    {
+        return User::class === $entityDto->getFqcn() && 'totpAuthenticationEnabled' === $field->getProperty();
+    }
+
+    public function configure(FieldDto $field, EntityDto $entityDto, AdminContext $context): void
+    {
+        /** @var User $user */
+        $user = $entityDto->getInstance();
+
+        if (!$user->isTotpAuthenticationEnabled()) {
+            $field->setFormTypeOption('disabled', true);
+        }
+    }
+}

translations/messages.en.yaml

@@ -122,3 +122,8 @@ account:
     qr-code-alt: QR-code containing the MFA secret.
     state-disabled: Multi-factor authentication is currently disabled.
     state-enabled: Multi-factor authentication is currently enabled.
+
+form:
+  user:
+    help:
+      totp-authentication-enabled: Multi-factor authentication can be disabled for users that lost their access to their MFA code, but has to be enabled by the user.