Countly
diff --git a/‎CHANGELOG.md
+3 b/‎CHANGELOG.md
+3
diff --git a/‎api/api.js
+2-2 b/‎api/api.js
+2-2
diff --git a/‎bin/commands/scripts/apidocs.sh
+2 b/‎bin/commands/scripts/apidocs.sh
+2
diff --git a/‎bin/commands/scripts/docs.sh
+1-1 b/‎bin/commands/scripts/docs.sh
+1-1
diff --git a/‎bin/scripts/member-managament/disable_2fa.js
+54 b/‎bin/scripts/member-managament/disable_2fa.js
+54
diff --git a/‎frontend/express/app.js
+2-2 b/‎frontend/express/app.js
+2-2
diff --git a/‎frontend/express/public/.well-known/security.txt
+7 b/‎frontend/express/public/.well-known/security.txt
+7
diff --git a/‎frontend/express/public/core/user-management/javascripts/countly.models.js
+16 b/‎frontend/express/public/core/user-management/javascripts/countly.models.js
+16
diff --git a/‎frontend/express/public/core/user-management/javascripts/countly.views.js
+19 b/‎frontend/express/public/core/user-management/javascripts/countly.views.js
+19
diff --git a/‎frontend/express/public/core/user-management/templates/data-table.html
+3 b/‎frontend/express/public/core/user-management/templates/data-table.html
+3
@@ -3,6 +3,9 @@ Fixes:
 - [push] Fixed bug where IOS credentials get mixed up while sending messages from different apps at the same time
 - [push] Fixed bug where it crashes in connection pool growth because of a type mismatch in an if condition
 
+Features:
+- [user-management] Global admins can now disable 2FA for individual users
+
 Dependencies:
 - Bump express from 4.21.1 to 4.21.2
 - Bump mocha from 10.2.0 to 10.8.2
 
@@ -109,8 +109,8 @@ plugins.connectToAllDatabases().then(function() {
         password_rotation: 3,
         password_autocomplete: true,
         robotstxt: "User-agent: *\nDisallow: /",
-        dashboard_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nStrict-Transport-Security:max-age=31536000 ; includeSubDomains\nX-Content-Type-Options: nosniff",
-        api_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nAccess-Control-Allow-Origin:*",
+        dashboard_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nStrict-Transport-Security:max-age=31536000; includeSubDomains; preload\nX-Content-Type-Options: nosniff",
+        api_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nStrict-Transport-Security:max-age=31536000; includeSubDomains; preload\nAccess-Control-Allow-Origin:*",
         dashboard_rate_limit_window: 60,
         dashboard_rate_limit_requests: 500,
         proxy_hostname: "",
 
@@ -12,5 +12,7 @@ then
 elif [ "$1" = "generate" ]; then
     echo 'yes'
     echo "$DIR/../../../../plugins/"
+    npm install apidoc;
+    npm install apidoc-template;
     "$DIR/../../../node_modules/.bin/apidoc" -c "$DIR/../../../apidoc.json" -f "api/.*\\.js$" -i "$DIR/../../../plugins/" -o "$DIR/../../../frontend/express/public/apidoc/" -t "$DIR/../../../node_modules/apidoc-template/template/";
 fi
@@ -20,7 +20,7 @@ elif [ "$1" = "generate" ]; then
     npx jsdoc "$DIR/../../../frontend/express/app.js" "$DIR/../../../frontend/express/config.sample.js" "$DIR/../../../frontend/express/version.info.js" "$DIR/../../../frontend/express/locale.conf.js" "$DIR/../../../frontend/express/libs/" -R "$DIR/../../../README.md" -c  "$DIR/../../../jsdoc_conf.json" -d  "$DIR/../../../frontend/express/public/docs/app" ;
 
     #apidoc
-    npx apidoc -i "$DIR/../../../" -o "$DIR/../../../frontend/express/public/docs/apidoc" -f ".*\\.js$" -e "node_modules" ;
+    npm install apidoc; npm install apidoc-template; npx apidoc -i "$DIR/../../../" -o "$DIR/../../../frontend/express/public/docs/apidoc" -f ".*\\.js$" -e "node_modules" ;
 
     #add redirect for main folder
     echo "<html><head><meta http-equiv='Refresh' content='0; url=./api/index.html'/><script type='javascript'>window.location = './api/index.html';</script></head></html>" > "$DIR/../../../frontend/express/public/docs/index.html"
 
@@ -0,0 +1,54 @@
+/*
+Script should be placed in ./bin/scripts/member-managament/disable_2fa.js
+
+Script is used to disable user(s) 2FA by email.
+*/
+
+var pluginManager = require('../../../plugins/pluginManager.js');
+
+const dry_run = false; //if set true, there will be only information outputted about users in the email list, but 2FA disable operation will not be triggered.
+//const EMAILS = ["[email protected]", "[email protected]"];
+const EMAILS = [''];
+
+if (dry_run) {
+    console.log("This is a dry run");
+    console.log("Members will only be listed, 2FA will not be disabled");
+}
+
+pluginManager.dbConnection().then(async(countlyDb) => {
+    try {
+        // Find the users by email
+        let users = [];
+        users = await getUsers(countlyDb, EMAILS);
+
+        console.log(`The following ${users.length} user(s) 2FA will be disabled: `);
+        console.log(JSON.stringify(users));
+        if (!dry_run) {
+            await countlyDb.collection('members').updateMany({_id: {$in: users.map(user=>user._id)}},
+                {
+                    $set: {"two_factor_auth.enabled": false},
+                    $unset: {"two_factor_auth.secret_token": ""}
+                });
+            console.log("All done");
+        }
+    }
+    catch (error) {
+        console.log("ERROR: ");
+        console.log(error);
+    }
+    finally {
+        countlyDb.close();
+    }
+});
+
+function getUsers(db, emails) {
+    const query = {};
+    if (emails?.length) {
+        query.email = {
+            $in: emails
+        };
+    }
+    return db.collection('members').find(query, {
+        projection: { _id: 1, email: 1 }
+    }).toArray();
+}
@@ -171,8 +171,8 @@ plugins.setConfigs("security", {
     password_rotation: 3,
     password_autocomplete: true,
     robotstxt: "User-agent: *\nDisallow: /",
-    dashboard_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nStrict-Transport-Security:max-age=31536000 ; includeSubDomains\nX-Content-Type-Options: nosniff",
-    api_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nAccess-Control-Allow-Origin:*",
+    dashboard_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nStrict-Transport-Security:max-age=31536000; includeSubDomains; preload\nX-Content-Type-Options: nosniff",
+    api_additional_headers: "X-Frame-Options:deny\nX-XSS-Protection:1; mode=block\nStrict-Transport-Security:max-age=31536000; includeSubDomains; preload\nAccess-Control-Allow-Origin:*",
     dashboard_rate_limit_window: 60,
     dashboard_rate_limit_requests: 500
 });
 
@@ -0,0 +1,7 @@
+# If you would like to report a security issue with Countly Server, Countly SDKs
+# please get in touch via the below method
+Contact: mailto:[email protected]
+Expires: 2025-03-14T00:00:00.000Z
+Preferred-Languages: en
+Canonical: https://securitytxt.org/.well-known/security.txt
+Policy: https://countly.com/legal/privacy-policy
@@ -215,5 +215,21 @@
                 callback(err.responseJSON.result);
             });
     };
+    countlyUserManagement.disableTwoFactorAuth = function(id, callback) {
+        return $.ajax({
+            type: "GET",
+            url: countlyGlobal.path + "/i/two-factor-auth",
+            data: {
+                method: "admin_disable",
+                uid: id
+            },
+            success: function() {
+                callback();
+            },
+            error: function(err) {
+                callback(err.responseJSON.result);
+            }
+        });
+    };
 
 })((window.countlyUserManagement = window.countlyUserManagement || {}));
@@ -65,6 +65,7 @@
                 },
                 roleMap: roleMap,
                 showLogs: countlyGlobal.plugins.indexOf('systemlogs') > -1,
+                twoFactorAuth: countlyGlobal.plugins.indexOf('two-factor-auth') > -1,
                 tableDynamicCols: tableDynamicCols,
                 userManagementPersistKey: 'userManagement_table_' + countlyCommon.ACTIVE_APP_ID,
                 isGroupPluginEnabled: isGroupPluginEnabled
@@ -114,6 +115,9 @@
             }
         },
         methods: {
+            is2faEnabled: function(row) {
+                return countlyGlobal.member.global_admin && this.twoFactorAuth && row.two_factor_auth && row.two_factor_auth.enabled;
+            },
             handleCommand: function(command, index) {
                 switch (command) {
                 case "delete-user":
@@ -157,6 +161,21 @@
                         });
                     });
                     break;
+                case 'disable-2fa':
+                    countlyUserManagement.disableTwoFactorAuth(index, function(err) {
+                        if (err) {
+                            CountlyHelpers.notify({
+                                message: CV.i18n('two-factor-auth.faildisable_title'),
+                                type: 'error'
+                            });
+                            return;
+                        }
+                        CountlyHelpers.notify({
+                            message: CV.i18n('two-factor-auth.disable_title'),
+                            type: 'success'
+                        });
+                    });
+                    break;
                 }
             },
             handleSubmitFilter: function(newFilter) {
 
@@ -75,6 +75,7 @@ <h4>{{i18n('management-users.view-title')}}</h4>
             sortable="true" prop="username" :label="i18n('management-users.username')">
             <template v-slot="rowScope">
               <span class="text-medium" :data-test-id="'datatable-users-username-' + rowScope.$index">{{rowScope.row.username}}</span>
+            </template>
           </el-table-column>
           <el-table-column
             v-if="col.value === 'role'"
@@ -90,6 +91,7 @@ <h4>{{i18n('management-users.view-title')}}</h4>
             sortable="true" prop="email" :label="i18n('management-users.email')">
             <template v-slot="rowScope">
               <span class="text-medium" :data-test-id="'datatable-users-email-' + rowScope.$index">{{rowScope.row.email}}</span>
+            </template>
           </el-table-column>
           <el-table-column v-if="col.value === 'group'" sortable="true" prop="groupNames" :label="i18n('management-users.group')">
             <template v-slot="rowScope">
@@ -129,6 +131,7 @@ <h4>{{i18n('management-users.view-title')}}</h4>
               <el-dropdown-item v-if="showLogs" command="show-logs" :data-test-id="'datatable-users-more-button-view-logs-select-' + rowScope.$index">{{ i18n('management-users.view-user-logs') }}</el-dropdown-item>
               <el-dropdown-item command="reset-logins" :data-test-id="'datatable-users-more-button-reset-logins-select-' + rowScope.$index">{{ i18n('management-users.reset-failed-logins') }}</el-dropdown-item>
               <el-dropdown-item command="delete-user" :data-test-id="'datatable-users-more-button-delete-user-select-' + rowScope.$index">{{ i18n('management-users.delete-user') }}</el-dropdown-item>
+              <el-dropdown-item v-if="is2faEnabled(rowScope.row)" command="disable-2fa" :data-test-id="'datatable-users-more-button-disable-2fa-select-' + rowScope.$index">{{ i18n('management-users.disable-2fa-user') }}</el-dropdown-item>
             </cly-more-options>
           </template>
         </el-table-column>