flip_api.user_services.reset_user_mfa

Attributes

router

Functions

reset_mfa_for_user(, token_id, Any])

Reset a user's TOTP MFA preference and revoke their active sessions.

Module Contents

flip_api.user_services.reset_user_mfa.router
flip_api.user_services.reset_user_mfa.reset_mfa_for_user(user_id: uuid.UUID, request: fastapi.Request, db: sqlmodel.Session = Depends(get_session), token_id: uuid.UUID = Depends(verify_token)) dict[str, Any]

Reset a user’s TOTP MFA preference and revoke their active sessions.

Used by administrators to recover users who have lost their authenticator device. The Cognito pool is OPTIONAL (see the cognito module for rationale), so the next sign-in does NOT produce a CONTINUE_SIGN_IN_WITH_TOTP_SETUP challenge — Cognito signs the user in cleanly, and the app-layer MFA gate (verify_token + the UI router guard on needsMfaEnrolment) routes them through the post-auth enrolment page instead.

Parameters:

  • user_id (UUID) – ID (Cognito sub) of the user whose MFA should be reset. FastAPI validates the path segment, returning 422 on malformed input.

  • request (Request) – FastAPI request object.

  • db (Session) – Database session.

  • token_id (UUID) – ID of the authenticated user performing the reset.

Returns:

Empty dictionary on success.

Return type:

dict[str, Any]

Raises:

  • HTTPException – If the caller lacks permission, the target user is not

  • found, or the Cognito call fails.