feat: allow for getting 2fa enabled users via /api/v1/admin/users (#12091)

Allow for filtering users with 2fa enabled as admin. So that it is easy to audit users' settings compliance with iso27001, etc.

Resolves #11800

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12091
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Dominik Zyla <zylad@noreply.codeberg.org>
Co-committed-by: Dominik Zyla <zylad@noreply.codeberg.org>

routers/api/v1/admin/user.go

@@ -416,6 +416,10 @@ func SearchUsers(ctx *context.APIContext) {
 	//   in: query
 	//   description: user's login name to search for
 	//   type: string
+	// - name: is_2fa_enabled
+	//   in: query
+	//   description: whether or not to filter users with the 2fa enabled
+	//   type: boolean
 	// - name: sort
 	//   in: query
 	//   description: sort order of results
@@ -449,6 +453,7 @@ func SearchUsers(ctx *context.APIContext) {
 		Actor:              ctx.Doer,
 		Type:               user_model.UserTypeIndividual,
 		LoginName:          ctx.FormTrim("login_name"),
+		IsTwoFactorEnabled: ctx.FormOptionalBool("is_2fa_enabled"),
 		SourceID:           sourceID,
 		OrderBy:            utils.GetDbSearchOrder(ctx),
 		ListOptions:        listOptions,

templates/swagger/v1_json.tmpl

@@ -1509,6 +1509,12 @@
             "name": "login_name",
             "in": "query"
           },
+          {
+            "type": "boolean",
+            "description": "whether or not to filter users with the 2fa enabled",
+            "name": "is_2fa_enabled",
+            "in": "query"
+          },
           {
             "enum": [
               "oldest",

tests/integration/api_admin_test.go

@@ -169,6 +169,38 @@ func TestAPIListUsers(t *testing.T) {
 	assert.Len(t, users, numberOfUsers)
 }
 
+func TestAPIListUsersNo2FA(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUsername := "user1"
+	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
+
+	req := NewRequest(t, "GET", "/api/v1/admin/users?is_2fa_enabled=0").
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	total := resp.Header().Get("X-Total-Count")
+
+	numberOfUsers := "28"
+
+	assert.Equal(t, numberOfUsers, total)
+}
+
+func TestAPIListUsers2FA(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUsername := "user1"
+	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
+
+	req := NewRequest(t, "GET", "/api/v1/admin/users?is_2fa_enabled=1").
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	total := resp.Header().Get("X-Total-Count")
+
+	numberOfUsers := "2"
+
+	assert.Equal(t, numberOfUsers, total)
+}
+
 func TestAPIListUsersNotLoggedIn(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	req := NewRequest(t, "GET", "/api/v1/admin/users")