Allow admins to remove TOTP using cli

backend/areas/users/user_service.py

@@ -91,6 +91,10 @@ class UserService:
 
         return UserService.get_user(res["id"])
 
+    @staticmethod
+    def reset_2fa(id):
+        KratosApi.delete("/admin/identities/{}/credentials/totp".format(id))
+
 
     @staticmethod
     def __start_recovery_flow(email):

backend/areas/users/users.py

@@ -36,6 +36,14 @@ def get_user_recovery(id):
     res = UserService.create_recovery_link(id)
     return jsonify(res)
 
+@api_v1.route("/users/<string:id>/reset_2fa", methods=["POST"])
+@jwt_required()
+@cross_origin()
+@admin_required()
+def reset_2fa(id):
+    res = UserService.reset_2fa(id)
+    return jsonify(res)
+
 @api_v1.route("/users", methods=["POST"])
 @jwt_required()
 @cross_origin()

backend/cliapp/cliapp/cli.py

@@ -17,8 +17,9 @@ from sqlalchemy import func
 from config import HYDRA_ADMIN_URL, KRATOS_ADMIN_URL, KRATOS_PUBLIC_URL
 from helpers import KratosUser
 from cliapp import cli
-from areas.roles import Role
 from areas.apps import AppRole, App
+from areas.roles import Role
+from areas.users import UserService
 from database import db
 
 # APIs
@@ -400,4 +401,22 @@ def recover_user(email):
         current_app.logger.error(f"Error while getting reset link: {error}")
 
 
+@user_cli.command("reset_2fa")
+@click.argument("email")
+def reset_2fa(email):
+    """Remove configured second factor for a user.
+    :param email: Email address of the user
+    """
+
+    current_app.logger.info(f"Removing second factor for user: {email}")
+
+    try:
+        # Get the ID of the user
+        kratos_user = KratosUser.find_by_email(kratos_identity_api, email)
+        # Get a recovery URL
+        UserService.reset_2fa(kratos_user.uuid)
+    except Exception as error:  # pylint: disable=broad-except
+        current_app.logger.error(f"Error while removing second factor: {error}")
+
+
 cli.cli.add_command(user_cli)