59 lines
3.7 KiB
Markdown
59 lines
3.7 KiB
Markdown
# Tasks: Console TOTP 2FA
|
|
|
|
## Review Workload Forecast
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Estimated changed lines | 650-900 total; split into ~350-450 backend and ~300-450 frontend |
|
|
| 400-line budget risk | High |
|
|
| Chained PRs recommended | Yes |
|
|
| Suggested split | PR 1 backend → PR 2 frontend |
|
|
| Delivery strategy | auto-chain per proposal |
|
|
|
|
Decision needed before apply: No
|
|
Chained PRs recommended: Yes
|
|
400-line budget risk: High
|
|
|
|
### Suggested Work Units
|
|
|
|
| Unit | Goal | Likely PR | Notes |
|
|
|------|------|-----------|-------|
|
|
| 1 | Backend 2FA baseline | PR 1 | Migration, crypto, endpoints, login, tests, env/docs |
|
|
| 2 | Console 2FA UX | PR 2 | Login two-step, security page, admin reset UI, tests |
|
|
|
|
## Phase 1: PR1 Backend Foundation / RED Tests
|
|
|
|
- [ ] 1.1 Add failing backend tests for login `requires_2fa`, valid/invalid TOTP, recovery-code consumption, replay rejection, lockout, and unchanged non-2FA login.
|
|
- [x] 1.2 Add migration `services/backend-api/migrations/*_totp_2fa.sql` dropping plaintext secret, adding encrypted/nonce/last-step/lock columns, and creating `two_factor_recovery_codes`.
|
|
- [x] 1.3 Wire `TOTP_SECRET_ENCRYPTION_KEY` startup config in `services/backend-api` and `docker-compose.yml`; fail boot on missing/invalid base64 32-byte key.
|
|
|
|
## Phase 2: PR1 Backend Implementation
|
|
|
|
- [x] 2.1 Add `services/backend-api/src/crypto/totp_secret.rs` with AES-256-GCM encrypt/decrypt and no secret logging.
|
|
- [x] 2.2 Extend `services/backend-api/src/auth.rs` error variants/mappings for 2FA required/failed/not-enabled/already-enabled/recovery invalid/account locked.
|
|
- [x] 2.3 Add recovery-code generation/hash/verify helpers using Argon2id and one-time deletion semantics.
|
|
- [x] 2.4 Add `services/backend-api/src/handlers/totp.rs` endpoints: setup-start, setup-verify, disable, regenerate recovery codes, admin reset.
|
|
- [x] 2.5 Update `services/backend-api/src/handlers/auth.rs` login for TOTP/recovery validation, replay-step update, failure-window lockout, and audit events.
|
|
- [x] 2.6 Register `/api/auth/2fa/*` and `POST /api/platform/users/:id/2fa-reset` in `services/backend-api/src/main.rs` under existing auth/rate-limit rules.
|
|
|
|
## Phase 3: PR1 Backend Verification / Docs
|
|
|
|
- [ ] 3.1 Make backend tests pass for all auth, recovery, admin reset, crypto, startup-config, and audit scenarios.
|
|
- [x] 3.2 Update `docs/DESPLIEGUE.md` with `TOTP_SECRET_ENCRYPTION_KEY` generation/storage and migration pre-flight note.
|
|
|
|
## Phase 4: PR2 Frontend Foundation / RED Tests
|
|
|
|
- [ ] 4.1 Add failing frontend tests for login two-step, recovery toggle, AccountLocked messaging, security route, enrollment, disable, regeneration, and admin reset modal.
|
|
- [x] 4.2 Update `services/frontend-console/src/features/auth/schemas/login-schema.ts` and auth API types to accept optional `two_factor_code`/`recovery_code` and `requires_2fa?`.
|
|
|
|
## Phase 5: PR2 Frontend Implementation
|
|
|
|
- [x] 5.1 Update `services/frontend-console/src/features/auth/pages/LoginPage.tsx` with password-first flow, TOTP/recovery second step, and API payload mapping to `totp_code`/`recovery_code`.
|
|
- [x] 5.2 Create `services/frontend-console/src/features/security/` with API client, `SecuritySettingsPage`, QR/manual secret enrollment, save-gated recovery codes, disable, and regenerate flows.
|
|
- [x] 5.3 Register `/app/platform/security` in `services/frontend-console/src/app/router/index.tsx` and navigation without changing unrelated local `frontend-console` work.
|
|
- [x] 5.4 Add platform admin users-list 2FA status and reset confirmation UI calling `POST /api/platform/users/:id/2fa-reset` with success/error toasts and refresh.
|
|
|
|
## Phase 6: Final Verification
|
|
|
|
- [x] 6.1 Run targeted `cargo test` and `pnpm --dir services/frontend-console test`; verify specs and keep PR diffs near the 400-line budget.
|