Files
OmniOilPersonal/openspec/changes/console-totp-2fa/tasks.md
2026-05-08 05:37:24 -05:00

3.7 KiB

Tasks: Console TOTP 2FA

Review Workload Forecast

Field Value
Estimated changed lines 650-900 total; split into ~350-450 backend and ~300-450 frontend
400-line budget risk High
Chained PRs recommended Yes
Suggested split PR 1 backend → PR 2 frontend
Delivery strategy auto-chain per proposal

Decision needed before apply: No Chained PRs recommended: Yes 400-line budget risk: High

Suggested Work Units

Unit Goal Likely PR Notes
1 Backend 2FA baseline PR 1 Migration, crypto, endpoints, login, tests, env/docs
2 Console 2FA UX PR 2 Login two-step, security page, admin reset UI, tests

Phase 1: PR1 Backend Foundation / RED Tests

  • 1.1 Add failing backend tests for login requires_2fa, valid/invalid TOTP, recovery-code consumption, replay rejection, lockout, and unchanged non-2FA login.
  • 1.2 Add migration services/backend-api/migrations/*_totp_2fa.sql dropping plaintext secret, adding encrypted/nonce/last-step/lock columns, and creating two_factor_recovery_codes.
  • 1.3 Wire TOTP_SECRET_ENCRYPTION_KEY startup config in services/backend-api and docker-compose.yml; fail boot on missing/invalid base64 32-byte key.

Phase 2: PR1 Backend Implementation

  • 2.1 Add services/backend-api/src/crypto/totp_secret.rs with AES-256-GCM encrypt/decrypt and no secret logging.
  • 2.2 Extend services/backend-api/src/auth.rs error variants/mappings for 2FA required/failed/not-enabled/already-enabled/recovery invalid/account locked.
  • 2.3 Add recovery-code generation/hash/verify helpers using Argon2id and one-time deletion semantics.
  • 2.4 Add services/backend-api/src/handlers/totp.rs endpoints: setup-start, setup-verify, disable, regenerate recovery codes, admin reset.
  • 2.5 Update services/backend-api/src/handlers/auth.rs login for TOTP/recovery validation, replay-step update, failure-window lockout, and audit events.
  • 2.6 Register /api/auth/2fa/* and POST /api/platform/users/:id/2fa-reset in services/backend-api/src/main.rs under existing auth/rate-limit rules.

Phase 3: PR1 Backend Verification / Docs

  • 3.1 Make backend tests pass for all auth, recovery, admin reset, crypto, startup-config, and audit scenarios.
  • 3.2 Update docs/DESPLIEGUE.md with TOTP_SECRET_ENCRYPTION_KEY generation/storage and migration pre-flight note.

Phase 4: PR2 Frontend Foundation / RED Tests

  • 4.1 Add failing frontend tests for login two-step, recovery toggle, AccountLocked messaging, security route, enrollment, disable, regeneration, and admin reset modal.
  • 4.2 Update services/frontend-console/src/features/auth/schemas/login-schema.ts and auth API types to accept optional two_factor_code/recovery_code and requires_2fa?.

Phase 5: PR2 Frontend Implementation

  • 5.1 Update services/frontend-console/src/features/auth/pages/LoginPage.tsx with password-first flow, TOTP/recovery second step, and API payload mapping to totp_code/recovery_code.
  • 5.2 Create services/frontend-console/src/features/security/ with API client, SecuritySettingsPage, QR/manual secret enrollment, save-gated recovery codes, disable, and regenerate flows.
  • 5.3 Register /app/platform/security in services/frontend-console/src/app/router/index.tsx and navigation without changing unrelated local frontend-console work.
  • 5.4 Add platform admin users-list 2FA status and reset confirmation UI calling POST /api/platform/users/:id/2fa-reset with success/error toasts and refresh.

Phase 6: Final Verification

  • 6.1 Run targeted cargo test and pnpm --dir services/frontend-console test; verify specs and keep PR diffs near the 400-line budget.