Create a new user (using an API token that has 'superuser' permissions):
curl -v -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -X POST -d "name=Foo Bar&login=foo.bar%40example.com" https://api.fastly.com/user
Response (notice no 2FA, no password, no force password reset etc):
{
"id":"001",
"created_at":"2019-04-16T13:32:41Z",
"updated_at":"2019-04-16T13:32:41Z",
"name":"Foo Bar",
"customer_id":"123",
"require_new_password":false,
"role":"user",
"login":"foo.bar@example.com",
"deleted_at":null,
"locked":false,
"two_factor_auth_enabled":false,
"limit_services":false,
"email_hash":"456",
"two_factor_setup_required":true
}
Set our own initial password for the user:
curl -v -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -X POST -d "new_password=foobar" https://api.fastly.com/user/<id>/password
Response (notice require_new_password
is set to true
now we've set a password for the user):
{
"id":"001",
"created_at":"2019-04-16T13:32:41Z",
"updated_at":"2019-04-16T13:51:38Z",
"name":"Foo Bar",
"customer_id":"123",
"require_new_password":true,
"role":"user",
"login":"foo.bar@example.com",
"deleted_at":null,
"locked":false,
"two_factor_auth_enabled":false,
"limit_services":false,
"email_hash":"456",
"two_factor_setup_required":true
}
When signing in with this user, they are forced to setup 2FA. The concern at this point, is that this user is able to log into the Fastly UI and start creating both READ and WRITE API tokens for any service. Meaning, we should probably create the user but never set a password and see if we can still create API tokens for that user's account and have them be usable to query the Fastly API.
In order to create a new token for a user account, we first need to call a /sudo
endpoint:
# don't forget to escape any special characters with a backslash \
export ADMIN_PASS=123456
curl -v -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -H "Fastly-OTP: 123456" -X POST -d "username=admin@example.com&password=$ADMIN_PASS" https://api.fastly.com/sudo
You can then request the token creation:
curl -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -X POST -d "username=<user>&password=<pass>&services[]=<service>" https://api.fastly.com/tokens
Response:
{
"id":"000",
"name":"Fastly API Token",
"user_id":"123",
"service_id":"456",
"expires_at":null,
"created_at":"2019-04-16T15:10:16Z",
"updated_at":"2019-04-16T15:10:16Z",
"scope":"global",
"services":["<service_id>"],
"access_token":"<a_new_token>"
}
Note: this token is generated for the superuser, and unfortunately not the specified username in the post formdata (which is what we wanted). Doesn't matter what creds you provide at this point. As you used the superuser account for
/sudo
it means the token will be setup for that user. This means as don't know anything about our user's or their creds (or OTP codes), we won't be able to create API tokens on their behalf.