Remove TOTP seed of a user (#440)

aviadl · web-flow · commit 4880691f8acb · 2025-02-24T20:35:59.000+02:00
+ tests related to descope/etc#9344
diff --git a/lib/management/paths.ts b/lib/management/paths.ts
@@ -33,6 +33,7 @@ export default {
     setActivePassword: '/v1/mgmt/user/password/set/active',
     expirePassword: '/v1/mgmt/user/password/expire',
     removeAllPasskeys: '/v1/mgmt/user/passkeys/delete',
+    removeTOTPSeed: '/v1/mgmt/user/totp/delete',
     generateOTPForTest: '/v1/mgmt/tests/generate/otp',
     generateMagicLinkForTest: '/v1/mgmt/tests/generate/magiclink',
     generateEnchantedLinkForTest: '/v1/mgmt/tests/generate/enchantedlink',
diff --git a/lib/management/user.test.ts b/lib/management/user.test.ts
@@ -1872,6 +1872,36 @@ describe('Management User', () => {
     });
   });
 
+  describe('removeTOTPSeed', () => {
+    it('should send the correct request and receive correct response', async () => {
+      const httpResponse = {
+        ok: true,
+        json: () => {},
+        clone: () => ({
+          json: () => Promise.resolve({}),
+        }),
+        status: 200,
+      };
+      mockHttpClient.post.mockResolvedValue(httpResponse);
+
+      const loginId = 'some-id';
+      const resp = await management.user.removeTOTPSeed(loginId);
+
+      expect(mockHttpClient.post).toHaveBeenCalledWith(
+        apiPaths.user.removeTOTPSeed,
+        { loginId },
+        { token: 'key' },
+      );
+
+      expect(resp).toEqual({
+        code: 200,
+        data: {},
+        ok: true,
+        response: httpResponse,
+      });
+    });
+  });
+
   describe('history', () => {
     it('should send the correct request and receive correct response', async () => {
       const usersHistoryRes = [
diff --git a/lib/management/user.ts b/lib/management/user.ts
@@ -992,6 +992,18 @@ const withUser = (sdk: CoreSdk, managementKey?: string) => {
         (data) => data,
       ),
 
+    /**
+     * Removes TOTP seed for the user with the given login ID.
+     * Note: The user might not be able to login anymore if they have no other authentication
+     * methods or a verified email/phone.
+     * @param loginId The login ID of the user
+     */
+    removeTOTPSeed: (loginId: string): Promise<SdkResponse<never>> =>
+      transformResponse<never>(
+        sdk.httpClient.post(apiPaths.user.removeTOTPSeed, { loginId }, { token: managementKey }),
+        (data) => data,
+      ),
+
     /**
      * Retrieve users' authentication history, by the given user's ids.
      * @param userIds The user IDs
