3.7 KiB
3.7 KiB
Tasks: Console TOTP 2FA
Review Workload Forecast
| Field | Value |
|---|---|
| Estimated changed lines | 650-900 total; split into ~350-450 backend and ~300-450 frontend |
| 400-line budget risk | High |
| Chained PRs recommended | Yes |
| Suggested split | PR 1 backend → PR 2 frontend |
| Delivery strategy | auto-chain per proposal |
Decision needed before apply: No Chained PRs recommended: Yes 400-line budget risk: High
Suggested Work Units
| Unit | Goal | Likely PR | Notes |
|---|---|---|---|
| 1 | Backend 2FA baseline | PR 1 | Migration, crypto, endpoints, login, tests, env/docs |
| 2 | Console 2FA UX | PR 2 | Login two-step, security page, admin reset UI, tests |
Phase 1: PR1 Backend Foundation / RED Tests
- 1.1 Add failing backend tests for login
requires_2fa, valid/invalid TOTP, recovery-code consumption, replay rejection, lockout, and unchanged non-2FA login. - 1.2 Add migration
services/backend-api/migrations/*_totp_2fa.sqldropping plaintext secret, adding encrypted/nonce/last-step/lock columns, and creatingtwo_factor_recovery_codes. - 1.3 Wire
TOTP_SECRET_ENCRYPTION_KEYstartup config inservices/backend-apianddocker-compose.yml; fail boot on missing/invalid base64 32-byte key.
Phase 2: PR1 Backend Implementation
- 2.1 Add
services/backend-api/src/crypto/totp_secret.rswith AES-256-GCM encrypt/decrypt and no secret logging. - 2.2 Extend
services/backend-api/src/auth.rserror variants/mappings for 2FA required/failed/not-enabled/already-enabled/recovery invalid/account locked. - 2.3 Add recovery-code generation/hash/verify helpers using Argon2id and one-time deletion semantics.
- 2.4 Add
services/backend-api/src/handlers/totp.rsendpoints: setup-start, setup-verify, disable, regenerate recovery codes, admin reset. - 2.5 Update
services/backend-api/src/handlers/auth.rslogin for TOTP/recovery validation, replay-step update, failure-window lockout, and audit events. - 2.6 Register
/api/auth/2fa/*andPOST /api/platform/users/:id/2fa-resetinservices/backend-api/src/main.rsunder existing auth/rate-limit rules.
Phase 3: PR1 Backend Verification / Docs
- 3.1 Make backend tests pass for all auth, recovery, admin reset, crypto, startup-config, and audit scenarios.
- 3.2 Update
docs/DESPLIEGUE.mdwithTOTP_SECRET_ENCRYPTION_KEYgeneration/storage and migration pre-flight note.
Phase 4: PR2 Frontend Foundation / RED Tests
- 4.1 Add failing frontend tests for login two-step, recovery toggle, AccountLocked messaging, security route, enrollment, disable, regeneration, and admin reset modal.
- 4.2 Update
services/frontend-console/src/features/auth/schemas/login-schema.tsand auth API types to accept optionaltwo_factor_code/recovery_codeandrequires_2fa?.
Phase 5: PR2 Frontend Implementation
- 5.1 Update
services/frontend-console/src/features/auth/pages/LoginPage.tsxwith password-first flow, TOTP/recovery second step, and API payload mapping tototp_code/recovery_code. - 5.2 Create
services/frontend-console/src/features/security/with API client,SecuritySettingsPage, QR/manual secret enrollment, save-gated recovery codes, disable, and regenerate flows. - 5.3 Register
/app/platform/securityinservices/frontend-console/src/app/router/index.tsxand navigation without changing unrelated localfrontend-consolework. - 5.4 Add platform admin users-list 2FA status and reset confirmation UI calling
POST /api/platform/users/:id/2fa-resetwith success/error toasts and refresh.
Phase 6: Final Verification
- 6.1 Run targeted
cargo testandpnpm --dir services/frontend-console test; verify specs and keep PR diffs near the 400-line budget.