diff --git a/src/FusionAuthClient.ts b/src/FusionAuthClient.ts index 37455d9..1de0592 100644 --- a/src/FusionAuthClient.ts +++ b/src/FusionAuthClient.ts @@ -232,6 +232,26 @@ export class FusionAuthClient { .go(); } + /** + * Check to see if the user must obtain a Trust Token Id in order to complete a change password request. + * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change + * your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication. + * + * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. + * + * @param {string} changePasswordId The change password Id used to find the user. This value is generated by FusionAuth once the change password workflow has been initiated. + * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment. + * @returns {Promise>} + */ + checkChangePasswordUsingIdAndIPAddress(changePasswordId: string, ipAddress: string): Promise> { + return this.startAnonymous() + .withUri('/api/user/change-password') + .withUriSegment(changePasswordId) + .withParameter('ipAddress', ipAddress) + .withMethod("GET") + .go(); + } + /** * Check to see if the user must obtain a Trust Token Id in order to complete a change password request. * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change @@ -250,6 +270,26 @@ export class FusionAuthClient { .go(); } + /** + * Check to see if the user must obtain a Trust Token Id in order to complete a change password request. + * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change + * your password, you must obtain a Trust Token by completing a Two-Factor Step-Up authentication. + * + * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. + * + * @param {string} encodedJWT The encoded JWT (access token). + * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment. + * @returns {Promise>} + */ + checkChangePasswordUsingJWTAndIPAddress(encodedJWT: string, ipAddress: string): Promise> { + return this.startAnonymous() + .withUri('/api/user/change-password') + .withAuthorization('Bearer ' + encodedJWT) + .withParameter('ipAddress', ipAddress) + .withMethod("GET") + .go(); + } + /** * Check to see if the user must obtain a Trust Request Id in order to complete a change password request. * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change @@ -268,6 +308,26 @@ export class FusionAuthClient { .go(); } + /** + * Check to see if the user must obtain a Trust Request Id in order to complete a change password request. + * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change + * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication. + * + * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. + * + * @param {string} loginId The loginId (email or username) of the User that you intend to change the password for. + * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment. + * @returns {Promise>} + */ + checkChangePasswordUsingLoginIdAndIPAddress(loginId: string, ipAddress: string): Promise> { + return this.start() + .withUri('/api/user/change-password') + .withParameter('loginId', loginId) + .withParameter('ipAddress', ipAddress) + .withMethod("GET") + .go(); + } + /** * Check to see if the user must obtain a Trust Request Id in order to complete a change password request. * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change @@ -288,6 +348,28 @@ export class FusionAuthClient { .go(); } + /** + * Check to see if the user must obtain a Trust Request Id in order to complete a change password request. + * When a user has enabled Two-Factor authentication, before you are allowed to use the Change Password API to change + * your password, you must obtain a Trust Request Id by completing a Two-Factor Step-Up authentication. + * + * An HTTP status code of 400 with a general error code of [TrustTokenRequired] indicates that a Trust Token is required to make a POST request to this API. + * + * @param {string} loginId The loginId of the User that you intend to change the password for. + * @param {Array} loginIdTypes The identity types that FusionAuth will compare the loginId to. + * @param {string} ipAddress (Optional) IP address of the user changing their password. This is used for MFA risk assessment. + * @returns {Promise>} + */ + checkChangePasswordUsingLoginIdAndLoginIdTypesAndIPAddress(loginId: string, loginIdTypes: Array, ipAddress: string): Promise> { + return this.start() + .withUri('/api/user/change-password') + .withParameter('loginId', loginId) + .withParameter('loginIdTypes', loginIdTypes) + .withParameter('ipAddress', ipAddress) + .withMethod("GET") + .go(); + } + /** * Make a Client Credentials grant request to obtain an access token. * @@ -3853,6 +3935,24 @@ export class FusionAuthClient { .go(); } + /** + * Retrieve a user's two-factor status. + * + * This can be used to see if a user will need to complete a two-factor challenge to complete a login, + * and optionally identify the state of the two-factor trust across various applications. This operation + * provides more payload options than retrieveTwoFactorStatus. + * + * @param {TwoFactorStatusRequest} request The request object that contains all the information used to check the status. + * @returns {Promise>} + */ + retrieveTwoFactorStatusWithRequest(request: TwoFactorStatusRequest): Promise> { + return this.start() + .withUri('/api/two-factor/status') + .withJSONBody(request) + .withMethod("POST") + .go(); + } + /** * Retrieves the user for the given Id. * @@ -5974,6 +6074,7 @@ export interface AuthenticationTokenConfiguration extends Enableable { export interface LambdaConfiguration { accessTokenPopulateId?: UUID; idTokenPopulateId?: UUID; + multiFactorRequirementId?: UUID; samlv2PopulateId?: UUID; selfServiceRegistrationValidationId?: UUID; userinfoPopulateId?: UUID; @@ -6840,6 +6941,19 @@ export enum ContentStatus { REJECTED = "REJECTED" } +/** + * Represents the inbound lambda parameter 'context' for MFA Required lambdas. + */ +export interface Context { + accessToken?: string; + action?: MultiFactorAction; + application?: Application; + authenticationThreats?: Array; + eventInfo?: EventInfo; + mfaTrust?: Trust; + policies?: Policies; +} + /** * A number identifying a cryptographic algorithm. Values should be registered with the IANA COSE Algorithms registry @@ -9067,7 +9181,8 @@ export enum LambdaType { SCIMServerUserResponseConverter = "SCIMServerUserResponseConverter", SelfServiceRegistrationValidation = "SelfServiceRegistrationValidation", UserInfoPopulate = "UserInfoPopulate", - LoginValidation = "LoginValidation" + LoginValidation = "LoginValidation", + MFARequirement = "MFARequirement" } /** @@ -9426,6 +9541,15 @@ export interface MonthlyActiveUserReportResponse { total?: number; } +/** + * Communicate various actions/contexts in which multi-factor authentication can be used. + */ +export enum MultiFactorAction { + changePassword = "changePassword", + login = "login", + stepUp = "stepUp" +} + /** * @author Daniel DeGroff */ @@ -9871,6 +9995,15 @@ export interface PhoneUnverifiedOptions { behavior?: UnverifiedBehavior; } +/** + * Represents the inbound lambda parameter 'policies' for MFA Required lambdas. + */ +export interface Policies { + applicationLoginPolicy?: MultiFactorLoginPolicy; + applicationMultiFactorTrustPolicy?: ApplicationMultiFactorTrustPolicy; + tenantLoginPolicy?: MultiFactorLoginPolicy; +} + /** * @author Michael Sleevi */ @@ -10101,6 +10234,7 @@ export interface ReactorStatus { expiration?: string; licenseAttributes?: Record; licensed?: boolean; + multiFactorLambdas?: ReactorFeatureStatus; scimServer?: ReactorFeatureStatus; tenantManagerApplication?: ReactorFeatureStatus; threatDetection?: ReactorFeatureStatus; @@ -10322,6 +10456,14 @@ export interface Requirable extends Enableable { required?: boolean; } +/** + * Represents the inbound lambda parameter 'result' for MFA Required lambdas. + */ +export interface RequiredLambdaResult { + required?: boolean; + sendSuspiciousLoginEvent?: boolean; +} + /** * Interface describing the need for CORS configuration. * @@ -10874,6 +11016,7 @@ export interface TenantFormConfiguration { */ export interface TenantLambdaConfiguration { loginValidationId?: UUID; + multiFactorRequirementId?: UUID; scimEnterpriseUserRequestConverterId?: UUID; scimEnterpriseUserResponseConverterId?: UUID; scimGroupRequestConverterId?: UUID; @@ -11275,6 +11418,26 @@ export enum TransactionType { AbsoluteMajority = "AbsoluteMajority" } +/** + * Represents the inbound lambda parameter 'mfaTrust' inside the 'context' parameter for MFA Required lambdas. + */ +export interface Trust { + applicationId?: UUID; + attributes?: Record; + expirationInstant?: number; + id?: string; + insertInstant?: number; + startInstants?: StartInstant; + state?: Record; + tenantId?: UUID; + userId?: UUID; +} + +export interface StartInstant { + applications?: Record; + tenant?: number; +} + /** * @author Brett Guy */ @@ -11434,6 +11597,17 @@ export interface TwoFactorStartResponse { twoFactorId?: string; } +/** + * Check the status of two-factor authentication for a user, with more options than on a GET request. + */ +export interface TwoFactorStatusRequest extends BaseEventRequest { + accessToken?: string; + action?: MultiFactorAction; + applicationId?: UUID; + twoFactorTrustId?: string; + userId?: UUID; +} + /** * @author Daniel DeGroff */