Merge pull request #6125 from rubygems/reset-webauthn-admin

Reset webauthn devices in reset 2FA action

Author: jenshenny

app/avo/actions/reset_user_2fa.rb

@@ -5,14 +5,17 @@ class Avo::Actions::ResetUser2fa < Avo::Actions::ApplicationAction
   }
 
   self.message = lambda {
-    "Are you sure you would like to disable MFA and reset the password for #{record.handle} #{record.email}?"
+    "Are you sure you would like to disable MFA, WebAuthn devices, and reset the password for #{record.handle} #{record.email}?"
   }
 
   self.confirm_button_label = "Reset MFA"
 
   class ActionHandler < Avo::Actions::ActionHandler
     def handle_record(user)
-      user.disable_totp!
+      user.disable_totp! if user.totp_enabled?
+      user.webauthn_credentials.destroy_all if user.webauthn_enabled?
+      user.reset_mfa_attributes
+
       user.password = SecureRandom.hex(20).encode("UTF-8")
       user.save!
     end

app/models/concerns/user_multifactor_methods.rb

@@ -72,6 +72,12 @@ def mfa_method_added(default_level)
     self.mfa_hashed_recovery_codes = new_mfa_recovery_codes.map { |code| BCrypt::Password.create(code) }
   end
 
+  def reset_mfa_attributes
+    self.mfa_level = "disabled"
+    self.new_mfa_recovery_codes = nil
+    self.mfa_hashed_recovery_codes = []
+  end
+
   private
 
   def strong_mfa_level?

app/models/concerns/user_totp_methods.rb

@@ -12,10 +12,7 @@ def totp_disabled?
   def disable_totp!
     self.totp_seed = nil
 
-    if no_mfa_devices?
-      self.mfa_level = "disabled"
-      self.mfa_hashed_recovery_codes = []
-    end
+    reset_mfa_attributes if no_mfa_devices?
 
     save!(validate: false)
     Mailer.totp_disabled(id, Time.now.utc).deliver_later

app/models/webauthn_credential.rb

@@ -28,9 +28,7 @@ def enable_user_mfa
 
   def disable_user_mfa
     return unless user.no_mfa_devices?
-    user.mfa_level = :disabled
-    user.new_mfa_recovery_codes = nil
-    user.mfa_hashed_recovery_codes = []
+    user.reset_mfa_attributes
     user.save!(validate: false)
   end
 end

test/system/avo/users_test.rb

@@ -12,7 +12,9 @@ class Avo::UsersSystemTest < ApplicationSystemTestCase
 
     user = create(:user)
     user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
+    webauthn_credential = create(:webauthn_credential, user:)
     user_attributes = user.attributes.with_indifferent_access
+    webauthn_attributes = webauthn_credential.attributes.with_indifferent_access
 
     visit avo.resources_user_path(user)
 
@@ -41,6 +43,7 @@ class Avo::UsersSystemTest < ApplicationSystemTestCase
     assert_not_equal user_attributes[:encrypted_password], user.encrypted_password
     assert_nil user.totp_seed
     assert_empty user.mfa_hashed_recovery_codes
+    assert_empty user.webauthn_credentials
 
     audit = user.audits.sole
     event = user.events.where(tag: Events::UserEvent::PASSWORD_CHANGED).sole
@@ -64,6 +67,10 @@ class Avo::UsersSystemTest < ApplicationSystemTestCase
               .except("mfa_level", "updated_at", "totp_seed", "mfa_hashed_recovery_codes", "encrypted_password")
               .transform_values(&:as_json)
           },
+          "gid://gemcutter/WebauthnCredential/#{webauthn_credential.id}" => {
+            "changes" => webauthn_attributes.transform_values { [it.as_json, nil] },
+            "unchanged" => {}
+          },
           event.to_gid.as_json => {
             "changes" => event.attributes.transform_values { [nil, it.as_json] },
             "unchanged" => {}