Let's say my user enrolled to TOTP in my web app, but lost access to his Authenticator App, or deleted account in it. Now my user can't access my app, since he won't be able to get Secret Code to his Authenticator App. How can I restore my user's access to my app?
I tried to get user's data with Python script:
user = auth.get_user(uid)
And in
user._data.mfaInfo I can see TOTP data:
{'mfaEnrollmentId': id,
'displayName': 'Authenticator App',
'enrolledAt': timedate,
'totpInfo': {}}
But I can't edit it with auth.update_user, since it's in "_data".
I could also POST request: https://identitytoolkit.googleapis.com/v2/accounts/mfaEnrollment:withdraw
But it requires idToken which I don't have access to if the user can't authenticate.
In the end I resolved this with Identity Toolkit API with Custom idToken: