Added TOTP setup to CLI.

Cargo.lock

@@ -351,6 +351,12 @@ version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4cbbc9d0964165b47557570cce6c952866c2678457aca742aafc9fb771d30270"
 
+[[package]]
+name = "base32"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23ce669cd6c8588f79e15cf450314f9638f967fc5770ff1c7c1deb0925ea7cfa"
+
 [[package]]
 name = "base64"
 version = "0.12.3"
@@ -460,6 +466,12 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
+[[package]]
+name = "checked_int_cast"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17cc5e6b5ab06331c33589842070416baa137e8b0eb912b008cfd4a78ada7919"
+
 [[package]]
 name = "chrono"
 version = "0.4.31"
@@ -597,6 +609,31 @@ dependencies = [
  "cfg-if 1.0.0",
 ]
 
+[[package]]
+name = "crossterm"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e64e6c0fbe2c17357405f7c758c1ef960fce08bdfb2c03d88d2a18d7e09c4b67"
+dependencies = [
+ "bitflags 1.3.2",
+ "crossterm_winapi",
+ "libc",
+ "mio",
+ "parking_lot",
+ "signal-hook",
+ "signal-hook-mio",
+ "winapi",
+]
+
+[[package]]
+name = "crossterm_winapi"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "acdd7c62a3665c7f6830a51635d9ac9b23ed385797f70a83bb8bafe9c572ab2b"
+dependencies = [
+ "winapi",
+]
+
 [[package]]
 name = "crypto-common"
 version = "0.1.6"
@@ -653,6 +690,7 @@ checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
  "block-buffer 0.10.4",
  "crypto-common",
+ "subtle",
 ]
 
 [[package]]
@@ -942,6 +980,15 @@ dependencies = [
  "digest 0.9.0",
 ]
 
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest 0.10.7",
+]
+
 [[package]]
 name = "http-client"
 version = "6.5.3"
@@ -1109,6 +1156,16 @@ version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "da2479e8c062e40bf0066ffa0bc823de0a9368974af99c9f6df941d2c231e03f"
 
+[[package]]
+name = "lock_api"
+version = "0.4.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45"
+dependencies = [
+ "autocfg",
+ "scopeguard",
+]
+
 [[package]]
 name = "log"
 version = "0.4.20"
@@ -1154,6 +1211,18 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "mio"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3dce281c5e46beae905d4de1870d8b1509a9142b62eedf18b443b011ca8343d0"
+dependencies = [
+ "libc",
+ "log",
+ "wasi 0.11.0+wasi-snapshot-preview1",
+ "windows-sys",
+]
+
 [[package]]
 name = "num-traits"
 version = "0.2.17"
@@ -1187,6 +1256,29 @@ version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e52c774a4c39359c1d1c52e43f73dd91a75a614652c825408eec30c95a9b2067"
 
+[[package]]
+name = "parking_lot"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e"
+dependencies = [
+ "cfg-if 1.0.0",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-targets",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.0"
@@ -1365,6 +1457,25 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "qr2term"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c2a1e77b5cd714b04247ad912b7c8fe9a1fe1d58425048249def91bcf690e4c"
+dependencies = [
+ "crossterm",
+ "qrcode",
+]
+
+[[package]]
+name = "qrcode"
+version = "0.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16d2f1455f3630c6e5107b4f2b94e74d76dea80736de0981fd27644216cff57f"
+dependencies = [
+ "checked_int_cast",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.33"
@@ -1445,6 +1556,15 @@ dependencies = [
  "rand_core 0.5.1",
 ]
 
+[[package]]
+name = "redox_syscall"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
+dependencies = [
+ "bitflags 1.3.2",
+]
+
 [[package]]
 name = "ring"
 version = "0.16.20"
@@ -1529,6 +1649,12 @@ dependencies = [
  "winapi-util",
 ]
 
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
 [[package]]
 name = "semver"
 version = "0.9.0"
@@ -1634,6 +1760,17 @@ dependencies = [
  "sha1_smol",
 ]
 
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if 1.0.0",
+ "cpufeatures",
+ "digest 0.10.7",
+]
+
 [[package]]
 name = "sha1_smol"
 version = "1.0.0"
@@ -1664,6 +1801,27 @@ dependencies = [
  "digest 0.10.7",
 ]
 
+[[package]]
+name = "signal-hook"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8621587d4798caf8eb44879d42e56b9a93ea5dcd315a6487c357130095b62801"
+dependencies = [
+ "libc",
+ "signal-hook-registry",
+]
+
+[[package]]
+name = "signal-hook-mio"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29ad2e15f37ec9a6cc544097b78a1ec90001e9f71b81338ca39f430adaca99af"
+dependencies = [
+ "libc",
+ "mio",
+ "signal-hook",
+]
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.1"
@@ -1691,6 +1849,12 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "smallvec"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a"
+
 [[package]]
 name = "smol"
 version = "1.3.0"
@@ -1815,7 +1979,7 @@ dependencies = [
  "serde",
  "serde_derive",
  "serde_json",
- "sha1",
+ "sha1 0.6.1",
  "syn 1.0.109",
 ]
 
@@ -2114,17 +2278,22 @@ checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9"
 name = "uidc"
 version = "0.1.0"
 dependencies = [
+ "base32",
  "base64 0.13.1",
+ "chrono",
  "clap",
  "handlebars",
+ "hmac 0.12.1",
  "lazy_static",
  "log",
  "microrm",
+ "qr2term",
  "ring",
  "rpassword",
  "serde",
  "serde_bytes",
  "serde_json",
+ "sha1 0.10.6",
  "sha2 0.10.8",
  "smol",
  "stderrlog",

Cargo.toml

@@ -11,11 +11,15 @@ smol = "1.3"
 log = "0.4"
 serde = { version =  "1.0", features = ["derive"] }
 lazy_static = "1.4.0"
+chrono = "0.4"
 
 # crypto
 ring = { version = "0.16.20", features = ["std"] }
-sha2 = { version = "0.10.2" }
+sha1 = { version = "0.10" }
+sha2 = { version = "0.10" }
+base32 = { version = "0.4.0" }
 base64 = { version = "0.13.0" }
+hmac = { version = "0.12" }
 
 # configuration
 toml = "0.8.2"
@@ -33,3 +37,4 @@ serde_json = "1.0"
 clap = { version = "3.1.15", features = ["derive"] }
 rpassword = "6.0"
 stderrlog = "0.5"
+qr2term = "0.3.1"

simple-setup.sh

@@ -18,3 +18,5 @@ $UIDC group create testgroup
 $UIDC role create testrole
 $UIDC group attach-role testgroup testrole
 $UIDC group attach-user testgroup kestrel
+$UIDC scope create testscope
+$UIDC scope attach-role testscope testrole

src/cli.rs

@@ -339,7 +339,12 @@ impl ScopeArgs {
             ScopeCommand::DetachRole {
                 scope_name,
                 role_name,
-            } => todo!(),
+            } => scope_management::detach_role(
+                &qi,
+                args.realm_id,
+                scope_name.as_str(),
+                role_name.as_str(),
+            ),
             ScopeCommand::Inspect { scope_name } => {
                 scope_management::inspect_scope(&qi, args.realm_id, scope_name.as_str())
             }
@@ -494,6 +499,9 @@ enum UserCommand {
 
         #[clap(short = 'p', long, parse(from_occurrences))]
         change_password: usize,
+
+        #[clap(short = 't', long, parse(from_occurrences))]
+        change_totp: usize,
     },
     Inspect {
         username: String,
@@ -517,11 +525,13 @@ impl UserArgs {
             UserCommand::Auth {
                 username,
                 change_password,
+                change_totp
             } => user_management::change_auth(
                 &qi,
                 args.realm_id,
                 username.as_str(),
                 *change_password > 0,
+                *change_totp > 0,
             ),
             UserCommand::Inspect { username } => {
                 user_management::inspect(&qi, args.realm_id, username.as_str())

src/schema.rs

@@ -1,3 +1,4 @@
+use microrm::make_index;
 pub use microrm::{Entity, Modelable, Schema};
 use serde::{Deserialize, Serialize};
 
@@ -8,6 +9,8 @@ pub struct PersistentConfig {
     pub value: String,
 }
 
+make_index!(!PersistentConfigIndex, PersistentConfig::Key);
+
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Session {
     pub key: String,
@@ -19,22 +22,26 @@ microrm::make_index!(!SessionKeyIndex, Session::Key);
 /// Authentication state for a session. If no challenges are left, it's considered authorized.
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct SessionAuthentication {
-    #[microrm_foreign]
-    pub session: SessionID,
     #[microrm_foreign]
     pub realm: RealmID,
     #[microrm_foreign]
+    pub session: SessionID,
+    #[microrm_foreign]
     pub user: UserID,
 
     pub challenges_left: Vec<AuthChallengeType>,
 }
 
+make_index!(!SessionAuthenticationIndex, SessionAuthentication::Realm, SessionAuthentication::Session, SessionAuthentication::User);
+
 // **** oauth types ****
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Realm {
     pub shortname: String,
 }
 
+make_index!(!RealmIndex, Realm::Shortname);
+
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Key {
     #[microrm_foreign]
@@ -52,6 +59,8 @@ pub struct User {
     pub username: String,
 }
 
+make_index!(!UserIndex, User::Realm, User::Username);
+
 #[derive(Clone, Copy, Debug, PartialEq, Modelable, Serialize, Deserialize)]
 pub enum AuthChallengeType {
     Username,
@@ -72,6 +81,8 @@ pub struct AuthChallenge {
     pub secret: Vec<u8>,
 }
 
+make_index!(AuthChallengeIndex, AuthChallenge::User);
+
 /// User semantic grouping
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Group {
@@ -80,6 +91,8 @@ pub struct Group {
     pub shortname: String,
 }
 
+make_index!(!GroupIndex, Group::Realm, Group::Shortname);
+
 /// User membership in group
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct GroupMembership {
@@ -89,6 +102,8 @@ pub struct GroupMembership {
     pub user: UserID,
 }
 
+make_index!(!GroupMembershipIndex, GroupMembership::Group, GroupMembership::User);
+
 /// OAuth2 client representation
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Client {
@@ -98,7 +113,7 @@ pub struct Client {
     pub secret: String,
 }
 
-microrm::make_index!(!ClientNameIndex, Client::Realm, Client::Shortname);
+make_index!(!ClientNameIndex, Client::Realm, Client::Shortname);
 
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct ClientRedirect {
@@ -107,6 +122,8 @@ pub struct ClientRedirect {
     pub redirect: String,
 }
 
+make_index!(ClientRedirectIndex, ClientRedirect::Client);
+
 /// Requested group of permissions
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Scope {
@@ -115,6 +132,8 @@ pub struct Scope {
     pub shortname: String,
 }
 
+make_index!(!ScopeIndex, Scope::Realm, Scope::Shortname);
+
 /// Specific atomic permission
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Role {
@@ -123,6 +142,8 @@ pub struct Role {
     pub shortname: String,
 }
 
+make_index!(!RoleIndex, Role::Realm, Role::Shortname);
+
 /// Role membership in scope
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct ScopeRole {
@@ -132,6 +153,8 @@ pub struct ScopeRole {
     pub role: RoleID,
 }
 
+make_index!(!ScopeRoleIndex, ScopeRole::Scope, ScopeRole::Role);
+
 /// Assigned permissions in group
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct GroupRole {
@@ -141,6 +164,8 @@ pub struct GroupRole {
     pub role: RoleID,
 }
 
+make_index!(!GroupRoleIndex, GroupRole::Group, GroupRole::Role);
+
 #[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct RevokedToken {
     #[microrm_foreign]
@@ -148,25 +173,42 @@ pub struct RevokedToken {
     pub nonce: String,
 }
 
+make_index!(!RevokedTokenIndex, RevokedToken::User, RevokedToken::Nonce);
+
 pub fn schema() -> Schema {
     Schema::new()
+        // global config types
         .entity::<PersistentConfig>()
+        .index::<PersistentConfigIndex>()
+        // session types
         .entity::<Session>()
         .index::<SessionKeyIndex>()
         .entity::<SessionAuthentication>()
+        .index::<SessionAuthenticationIndex>()
         // oauth types
         .entity::<Realm>()
+        .index::<RealmIndex>()
         .entity::<Key>()
         .entity::<User>()
+        .index::<UserIndex>()
         .entity::<AuthChallenge>()
+        .index::<AuthChallengeIndex>()
         .entity::<Group>()
+        .index::<GroupIndex>()
         .entity::<GroupMembership>()
+        .index::<GroupMembershipIndex>()
         .entity::<Client>()
         .index::<ClientNameIndex>()
         .entity::<ClientRedirect>()
+        .index::<ClientRedirectIndex>()
         .entity::<Scope>()
+        .index::<ScopeIndex>()
         .entity::<Role>()
+        .index::<RoleIndex>()
         .entity::<ScopeRole>()
+        .index::<ScopeRoleIndex>()
         .entity::<GroupRole>()
+        .index::<GroupRoleIndex>()
         .entity::<RevokedToken>()
+        .index::<RevokedTokenIndex>()
 }

src/scope_management.rs

@@ -79,3 +79,34 @@ pub fn attach_role(
         }
     }
 }
+
+pub fn detach_role(
+    qi: &microrm::QueryInterface,
+    realm_id: schema::RealmID,
+    scope_name: &str,
+    role_name: &str,
+) -> Result<(), UIDCError> {
+    let scope = qi
+        .get()
+        .by(schema::Scope::Realm, &realm_id)
+        .by(schema::Scope::Shortname, scope_name)
+        .one()?;
+    let role = qi
+        .get()
+        .by(schema::Role::Realm, &realm_id)
+        .by(schema::Role::Shortname, role_name)
+        .one()?;
+
+    if let Some((scope, role)) = scope.as_ref().zip(role) {
+        qi.delete()
+            .by(schema::ScopeRole::Scope, &scope.id())
+            .by(schema::ScopeRole::Role, &role.id())
+            .exec()?
+    } else if scope.is_none() {
+        println!("No such scope!");
+    } else {
+        println!("No such role!");
+    }
+
+    Ok(())
+}

src/token_management.rs

@@ -84,18 +84,32 @@ pub fn inspect_token(
     };
 
     let jwt = jwt::JWT::verify(&pubkey, token.as_str());
-    if let Some(claims) = jwt.as_ref().and_then(jwt::JWT::claims) {
+    if jwt.is_none() {
+        println!("Signature validation against realm key failed!");
+    } else if let Some(claims) = jwt.as_ref().and_then(jwt::JWT::claims) {
         println!("Base claims:");
-        println!(" - issuer    : {}", claims.iss);
-        println!(" - audience  : {}", claims.aud);
-        println!(" - subject   : {}", claims.sub);
-        println!(" - issued at : {} [{}]", claims.iat, "");
-        println!(" - expires at: {} [{}]", claims.exp, "");
+        println!(" - issuer      : {}", claims.iss);
+        println!(" - audience    : {}", claims.aud);
+        println!(" - subject     : {}", claims.sub);
+        println!(
+            " - issued at   : {} [{}]",
+            claims.iat,
+            chrono::DateTime::<chrono::Utc>::from_timestamp(claims.iat as i64, 0)
+                .unwrap()
+                .to_rfc2822()
+        );
+        println!(
+            " - expires at  : {} [{}]",
+            claims.exp,
+            chrono::DateTime::<chrono::Utc>::from_timestamp(claims.exp as i64, 0)
+                .unwrap()
+                .to_rfc2822()
+        );
         for claim in claims.extras {
-            println!(" - {:10}: {}", claim.0, claim.1);
+            println!(" - {:12}: {}", claim.0, claim.1);
         }
     } else {
-        println!("Signature validation against realm key or claim parsing failed!");
+        println!("Claim parsing failed!");
     }
     Ok(())
 }

src/user.rs

@@ -5,6 +5,8 @@ use microrm::prelude::*;
 pub enum UserError {
     NoSuchUser,
     NoSuchChallenge,
+    ChallengeInvalid,
+    InvalidInput,
 }
 
 pub struct User {
@@ -14,6 +16,24 @@ pub struct User {
 
 static PBKDF2_ROUNDS: std::num::NonZeroU32 = unsafe { std::num::NonZeroU32::new_unchecked(20000) };
 
+fn generate_totp_digits(secret: &[u8], time_offset: isize) -> Result<u32, UIDCError> {
+    use hmac::Mac;
+
+    let mut mac = hmac::Hmac::<sha1::Sha1>::new_from_slice(secret).map_err(|_| UserError::ChallengeInvalid)?;
+
+    let timestamp = std::time::SystemTime::now().duration_since(std::time::SystemTime::UNIX_EPOCH).unwrap().as_secs();
+    let interval = 30;
+    let time_index = (timestamp / interval) as isize + time_offset;
+
+    mac.update(u64::to_be_bytes(time_index as u64).as_slice());
+    let hmac = mac.finalize().into_bytes();
+
+    // this is from RFC4226
+    let offset = (hmac[19] & 0xf) as usize;
+    let truncation = u32::from_be_bytes(hmac[offset..offset+4].try_into().unwrap()) & 0x7fff_ffff;
+    Ok(truncation % 1_000_000)
+}
+
 impl User {
     pub fn from_model(model: microrm::WithID<schema::User>) -> Self {
         Self {
@@ -22,6 +42,10 @@ impl User {
         }
     }
 
+    pub fn id(&self) -> schema::UserID {
+        self.id
+    }
+
     pub fn change_username(
         &self,
         qi: &microrm::QueryInterface,
@@ -61,24 +85,23 @@ impl User {
 
         match which {
             schema::AuthChallengeType::Password => {
-                self.verify_password_challenge(challenge.wrapped(), response)
+                self.verify_password_challenge(&challenge.wrapped(), response)
             }
             schema::AuthChallengeType::TOTP => {
-                self.verify_totp_challenge(challenge.wrapped(), response)
+                self.verify_totp_challenge(&challenge.wrapped(), response)
             }
             _ => todo!(),
         }
     }
 
-    pub fn set_new_password(&self, qi: &microrm::QueryInterface, password: &[u8]) {
+    pub fn set_new_password(&self, qi: &microrm::QueryInterface, password: &[u8]) -> Result<(), UIDCError> {
         qi.delete()
             .by(schema::AuthChallenge::User, &self.id)
             .by(
                 schema::AuthChallenge::ChallengeType,
                 &schema::AuthChallengeType::Password,
             )
-            .exec()
-            .expect("couldn't query db");
+            .exec()?;
 
         let rng = ring::rand::SystemRandom::new();
         let salt: [u8; 16] = ring::rand::generate(&rng)
@@ -100,13 +123,46 @@ impl User {
             challenge_type: schema::AuthChallengeType::Password,
             public: salt.into(),
             secret: generated.into(),
-        })
-        .expect("couldn't set password");
+        })?;
+        Ok(())
+    }
+
+    pub fn generate_totp_with_uri(&self, qi: &microrm::QueryInterface) -> Result<(Vec<u8>, String), UIDCError> {
+        let rng = ring::rand::SystemRandom::new();
+        let secret: [u8; 16] = ring::rand::generate(&rng)
+            .expect("Couldn't generate random secret?")
+            .expose();
+
+        let uri_secret = base32::encode(base32::Alphabet::RFC4648 { padding: false }, secret.as_slice());
+
+        let username = qi.get().by_id(&self.id).one()?.ok_or(UIDCError::Abort("no such user"))?.wrapped().username;
+
+        let uri = format!("otpauth://totp/uidc:{username}@uidc?secret={uri_secret}&issuer=uidc");
+
+        Ok((secret.into(), uri))
     }
 
-    fn verify_password_challenge(
+    pub fn set_new_totp(&self, qi: &microrm::QueryInterface, secret: &[u8]) -> Result<(), UIDCError> {
+        qi.delete()
+            .by(schema::AuthChallenge::User, &self.id)
+            .by(
+                schema::AuthChallenge::ChallengeType,
+                &schema::AuthChallengeType::TOTP,
+            )
+            .exec()?;
+
+        qi.add(&schema::AuthChallenge {
+            user: self.id,
+            challenge_type: schema::AuthChallengeType::TOTP,
+            public: vec![],
+            secret: secret.into(),
+        })?;
+        Ok(())
+    }
+
+    pub fn verify_password_challenge(
         &self,
-        challenge: schema::AuthChallenge,
+        challenge: &schema::AuthChallenge,
         response: &[u8],
     ) -> Result<bool, UIDCError> {
         use ring::pbkdf2;
@@ -121,11 +177,20 @@ impl User {
         .is_ok())
     }
 
-    fn verify_totp_challenge(
+    pub fn verify_totp_challenge(
         &self,
-        challenge: schema::AuthChallenge,
+        challenge: &schema::AuthChallenge,
         response: &[u8],
     ) -> Result<bool, UIDCError> {
-        todo!()
+        let response_digits = std::str::from_utf8(response).map_err(|_| UserError::InvalidInput)?.parse::<u32>().map_err(|_| UserError::InvalidInput)?;
+
+        // allow for some clock skew
+        for time_offset in -2..3 {
+            if generate_totp_digits(challenge.secret.as_slice(), time_offset)? == response_digits {
+                return Ok(true)
+            }
+        }
+
+        Ok(false)
     }
 }

src/user_management.rs

@@ -49,6 +49,7 @@ pub fn change_auth(
     realm_id: schema::RealmID,
     username: &str,
     change_password: bool,
+    change_totp: bool,
 ) -> Result<(), UIDCError> {
     // check that the user exists
     let existing_user = qi
@@ -62,7 +63,26 @@ pub fn change_auth(
 
     if change_password {
         let raw_pass = rpassword::prompt_password("Enter new user password: ").unwrap();
-        user.set_new_password(qi, raw_pass.as_bytes());
+        user.set_new_password(qi, raw_pass.as_bytes())?;
+    }
+    if change_totp {
+        let (new_secret, new_uri) = user.generate_totp_with_uri(qi)?;
+        println!("Please confirm you can generate tokens with the new secret:");
+        qr2term::print_qr(new_uri.as_str()).map_err(|_| UIDCError::Abort("could not display QR code"))?;
+        let new_challenge = schema::AuthChallenge {
+            user: user.id(),
+            challenge_type: schema::AuthChallengeType::TOTP,
+            public: vec![],
+            secret: new_secret.clone()
+        };
+
+        loop {
+            let digits = rpassword::prompt_password("TOTP code: ").unwrap();
+            if user.verify_totp_challenge(&new_challenge, digits.as_bytes())? {
+                break
+            }
+        }
+        user.set_new_totp(qi, new_secret.as_slice())?;
     }
     Ok(())
 }