feat: allow for getting 2fa enabled users via /api/v1/admin/users (#12091)

Allow for filtering users with 2fa enabled as admin. So that it is easy to audit users' settings compliance with iso27001, etc. Resolves #11800 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12091 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Dominik Zyla <zylad@noreply.codeberg.org> Co-committed-by: Dominik Zyla <zylad@noreply.codeberg.org>
2026-05-12 22:10:25 +00:00 · 2026-04-16 19:52:56 +02:00 · 2026-04-16 19:52:56 +02:00 · 6236a4cc99
commit 6236a4cc99
parent 39f677c0db
3 changed files with 49 additions and 6 deletions
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@ -416,6 +416,10 @@ func SearchUsers(ctx *context.APIContext) {
 	//   in: query
 	//   description: user's login name to search for
 	//   type: string
+	// - name: is_2fa_enabled
+	//   in: query
+	//   description: whether or not to filter users with the 2fa enabled
+	//   type: boolean
 	// - name: sort
 	//   in: query
 	//   description: sort order of results
@ -446,12 +450,13 @@ func SearchUsers(ctx *context.APIContext) {
 	}

 	users, maxResults, err := user_model.SearchUsers(ctx, &user_model.SearchUserOptions{
-		Actor:       ctx.Doer,
-		Type:        user_model.UserTypeIndividual,
-		LoginName:   ctx.FormTrim("login_name"),
-		SourceID:    sourceID,
-		OrderBy:     utils.GetDbSearchOrder(ctx),
-		ListOptions: listOptions,
+		Actor:              ctx.Doer,
+		Type:               user_model.UserTypeIndividual,
+		LoginName:          ctx.FormTrim("login_name"),
+		IsTwoFactorEnabled: ctx.FormOptionalBool("is_2fa_enabled"),
+		SourceID:           sourceID,
+		OrderBy:            utils.GetDbSearchOrder(ctx),
+		ListOptions:        listOptions,
 	})
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "SearchUsers", err)
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -1509,6 +1509,12 @@
            "name": "login_name",
            "in": "query"
          },
+          {
+            "type": "boolean",
+            "description": "whether or not to filter users with the 2fa enabled",
+            "name": "is_2fa_enabled",
+            "in": "query"
+          },
          {
            "enum": [
              "oldest",
--- a/tests/integration/api_admin_test.go
+++ b/tests/integration/api_admin_test.go
@ -169,6 +169,38 @@ func TestAPIListUsers(t *testing.T) {
 	assert.Len(t, users, numberOfUsers)
 }

+func TestAPIListUsersNo2FA(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUsername := "user1"
+	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
+
+	req := NewRequest(t, "GET", "/api/v1/admin/users?is_2fa_enabled=0").
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	total := resp.Header().Get("X-Total-Count")
+
+	numberOfUsers := "28"
+
+	assert.Equal(t, numberOfUsers, total)
+}
+
+func TestAPIListUsers2FA(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUsername := "user1"
+	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
+
+	req := NewRequest(t, "GET", "/api/v1/admin/users?is_2fa_enabled=1").
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	total := resp.Header().Get("X-Total-Count")
+
+	numberOfUsers := "2"
+
+	assert.Equal(t, numberOfUsers, total)
+}
+
 func TestAPIListUsersNotLoggedIn(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	req := NewRequest(t, "GET", "/api/v1/admin/users")