# Multi-Factor Authentication (MFA) CLI commands # # Provides comprehensive MFA management through the control-center API use ../lib_provisioning/config/loader.nu get-config # Get API base URL from config def get-api-url [] { let config = get-config $config.api.base_url? | default "http://localhost:8080" } # Get auth token from environment or config def get-auth-token [] { $env.PROVISIONING_AUTH_TOKEN? | default "" } # Make authenticated API request def api-request [ method: string # HTTP method (GET, POST, DELETE) endpoint: string # API endpoint path body?: any # Request body (optional) ] { let base_url = get-api-url let token = get-auth-token let url = $"($base_url)/api/v1($endpoint)" let headers = { "Authorization": $"Bearer ($token)" "Content-Type": "application/json" } if ($body | is-empty) { http $method $url --headers $headers } else { http $method $url --headers $headers ($body | to json) } } # ============================================================================ # TOTP Commands # ============================================================================ # Enroll TOTP (Time-based One-Time Password) # # Example: # mfa totp enroll export def "mfa totp enroll" [] { print "📱 Enrolling TOTP device..." let response = api-request "POST" "/mfa/totp/enroll" print "" print "✅ TOTP device enrolled successfully!" print "" print "📋 Device ID:" $response.device_id print "" print "🔑 Manual entry secret (if QR code doesn't work):" print $" ($response.secret)" print "" print "📱 Scan this QR code with your authenticator app:" print " (Google Authenticator, Authy, Microsoft Authenticator, etc.)" print "" # Save QR code to file let qr_file = $"/tmp/mfa-qr-($response.device_id).html" $" MFA Setup - QR Code

Scan QR Code

($response.secret)

" | save -f $qr_file print $" QR code saved to: ($qr_file)" print $" Open in browser: open ($qr_file)" print "" print "💾 Backup codes (save these securely):" for code in $response.backup_codes { print $" ($code)" } print "" print "⚠️ IMPORTANT: Test your TOTP setup with 'mfa totp verify

'"
    print ""
}

# Verify TOTP code
#
# Example:
#   mfa totp verify 123456
export def "mfa totp verify" [
    code: string  # 6-digit TOTP code
    --device-id: string  # Specific device ID (optional)
] {
    print $"🔐 Verifying TOTP code: ($code)..."

    let body = {
        code: $code
        device_id: $device_id
    }

    let response = api-request "POST" "/mfa/totp/verify" $body

    if $response.verified {
        print ""
        print "✅ TOTP verification successful!"
        if $response.backup_code_used {
            print "⚠️  Note: A backup code was used"
        }
        print ""
    } else {
        print ""
        print "❌ TOTP verification failed"
        print "   Please check your code and try again"
        print ""
        exit 1
    }
}

# Disable TOTP
#
# Example:
#   mfa totp disable
export def "mfa totp disable" [] {
    print "⚠️  Disabling TOTP..."
    print ""
    print "This will remove all TOTP devices from your account."
    let confirm = input "Are you sure? (yes/no): "

    if $confirm != "yes" {
        print "Cancelled."
        return
    }

    api-request "POST" "/mfa/totp/disable"

    print ""
    print "✅ TOTP disabled successfully"
    print ""
}

# Show backup codes status
#
# Example:
#   mfa totp backup-codes
export def "mfa totp backup-codes" [] {
    print "🔑 Fetching backup codes status..."

    let response = api-request "GET" "/mfa/totp/backup-codes"

    print ""
    print "📋 Backup Codes:"
    for code in $response.backup_codes {
        print $"   ($code)"
    }
    print ""
}

# Regenerate backup codes
#
# Example:
#   mfa totp regenerate
export def "mfa totp regenerate" [] {
    print "🔄 Regenerating backup codes..."
    print ""
    print "⚠️  This will invalidate all existing backup codes."
    let confirm = input "Continue? (yes/no): "

    if $confirm != "yes" {
        print "Cancelled."
        return
    }

    let response = api-request "POST" "/mfa/totp/regenerate"

    print ""
    print "✅ New backup codes generated:"
    print ""
    for code in $response.backup_codes {
        print $"   ($code)"
    }
    print ""
    print "💾 Save these codes securely!"
    print ""
}

# ============================================================================
# WebAuthn Commands
# ============================================================================

# Enroll WebAuthn device (security key)
#
# Example:
#   mfa webauthn enroll --device-name "YubiKey 5"
export def "mfa webauthn enroll" [
    --device-name: string = "Security Key"  # Device name
] {
    print $"🔐 Enrolling WebAuthn device: ($device_name)"
    print ""
    print "⚠️  WebAuthn enrollment requires browser interaction."
    print "   Use the Web UI at: (get-api-url)/mfa/setup"
    print ""
    print "   Or use the API directly with a browser-based client."
    print ""
}

# List WebAuthn devices
#
# Example:
#   mfa webauthn list
export def "mfa webauthn list" [] {
    print "🔑 Fetching WebAuthn devices..."

    let devices = api-request "GET" "/mfa/webauthn/devices"

    if ($devices | is-empty) {
        print ""
        print "No WebAuthn devices registered"
        print ""
        return
    }

    print ""
    print "📱 WebAuthn Devices:"
    print ""

    for device in $devices {
        print $"Device: ($device.device_name)"
        print $"  ID: ($device.id)"
        print $"  Created: ($device.created_at)"
        print $"  Last used: ($device.last_used | default 'Never')"
        print $"  Status: (if $device.enabled { '✅ Enabled' } else { '❌ Disabled' })"
        print $"  Transports: ($device.transports | str join ', ')"
        print ""
    }
}

# Remove WebAuthn device
#
# Example:
#   mfa webauthn remove 
export def "mfa webauthn remove" [
    device_id: string  # Device ID to remove
] {
    print $"🗑️  Removing WebAuthn device: ($device_id)"
    print ""

    let confirm = input "Are you sure? (yes/no): "
    if $confirm != "yes" {
        print "Cancelled."
        return
    }

    api-request "DELETE" $"/mfa/webauthn/devices/($device_id)"

    print ""
    print "✅ Device removed successfully"
    print ""
}

# ============================================================================
# General MFA Commands
# ============================================================================

# Show MFA status
#
# Example:
#   mfa status
export def "mfa status" [] {
    print "🔐 Fetching MFA status..."

    let status = api-request "GET" "/mfa/status"

    print ""
    print "📊 MFA Status:"
    print $"  Enabled: (if $status.enabled { '✅ Yes' } else { '❌ No' })"
    print ""

    if not ($status.totp_devices | is-empty) {
        print "📱 TOTP Devices:"
        for device in $status.totp_devices {
            print $"  • ID: ($device.id)"
            print $"    Created: ($device.created_at)"
            print $"    Last used: ($device.last_used | default 'Never')"
            print $"    Status: (if $device.enabled { 'Enabled' } else { 'Not verified' })"
        }
        print ""
    }

    if not ($status.webauthn_devices | is-empty) {
        print "🔑 WebAuthn Devices:"
        for device in $status.webauthn_devices {
            print $"  • ($device.device_name)"
            print $"    ID: ($device.id)"
            print $"    Created: ($device.created_at)"
            print $"    Last used: ($device.last_used | default 'Never')"
        }
        print ""
    }

    if $status.has_backup_codes {
        print "💾 Backup codes: Available"
        print ""
    }

    if (not $status.enabled) {
        print "ℹ️  MFA is not enabled. Set it up with:"
        print "   • mfa totp enroll         - For TOTP (recommended)"
        print "   • mfa webauthn enroll     - For hardware keys"
        print ""
    }
}

# Disable all MFA methods
#
# Example:
#   mfa disable
export def "mfa disable" [] {
    print "⚠️  Disabling ALL MFA methods..."
    print ""
    print "This will remove:"
    print "  • All TOTP devices"
    print "  • All WebAuthn devices"
    print "  • All backup codes"
    print ""

    let confirm = input "Are you ABSOLUTELY sure? Type 'disable mfa': "

    if $confirm != "disable mfa" {
        print "Cancelled."
        return
    }

    api-request "POST" "/mfa/disable"

    print ""
    print "✅ All MFA methods have been disabled"
    print ""
}

# List all MFA devices
#
# Example:
#   mfa list-devices
export def "mfa list-devices" [] {
    mfa status
}

# ============================================================================
# Help Command
# ============================================================================

# Show MFA help
export def "mfa help" [] {
    print ""
    print "🔐 Multi-Factor Authentication (MFA) Commands"
    print ""
    print "TOTP (Time-based One-Time Password):"
    print "  mfa totp enroll                 - Enroll TOTP device"
    print "  mfa totp verify           - Verify TOTP code"
    print "  mfa totp disable                - Disable TOTP"
    print "  mfa totp backup-codes           - Show backup codes status"
    print "  mfa totp regenerate             - Regenerate backup codes"
    print ""
    print "WebAuthn (Hardware Security Keys):"
    print "  mfa webauthn enroll             - Enroll security key"
    print "  mfa webauthn list               - List registered devices"
    print "  mfa webauthn remove         - Remove device"
    print ""
    print "General:"
    print "  mfa status                      - Show MFA status"
    print "  mfa list-devices                - List all devices"
    print "  mfa disable                     - Disable all MFA"
    print "  mfa help                        - Show this help"
    print ""
}