mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 12:21:09 +00:00
Oleksandr Bezdieniezhnykh
1e1ded73f5
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.
- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
azaion-mfa-step2) when the user has MFA enabled; real access+refresh
pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
(purpose=Azaion.Mfa.Secret.v1; key folder configurable via
DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
avoid LinqToDB null-literal type-inference on jsonb columns.
E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.
Co-authored-by: Cursor <cursoragent@cursor.com>
44 lines
1.3 KiB
C#
44 lines
1.3 KiB
C#
namespace Azaion.Common.Requests;
|
|
|
|
/// <summary>AZ-534 — body for <c>POST /users/me/mfa/enroll</c>.</summary>
|
|
public class MfaEnrollRequest
|
|
{
|
|
public string Password { get; set; } = null!;
|
|
}
|
|
|
|
/// <summary>AZ-534 — response of /enroll (also surfaces recovery codes ONCE; they are
|
|
/// hashed at rest and unrecoverable after this response).</summary>
|
|
public class MfaEnrollResponse
|
|
{
|
|
public string Secret { get; set; } = null!;
|
|
public string OtpAuthUrl { get; set; } = null!;
|
|
public string QrPngBase64 { get; set; } = null!;
|
|
public string[] RecoveryCodes { get; set; } = [];
|
|
}
|
|
|
|
public class MfaConfirmRequest
|
|
{
|
|
public string Code { get; set; } = null!;
|
|
}
|
|
|
|
public class MfaDisableRequest
|
|
{
|
|
public string Password { get; set; } = null!;
|
|
public string Code { get; set; } = null!;
|
|
}
|
|
|
|
/// <summary>AZ-534 AC-3 — response of step-1 /login when the user has MFA enabled.
|
|
/// The mfa_token is a short-lived JWT carried into <c>POST /login/mfa</c>.</summary>
|
|
public class MfaRequiredResponse
|
|
{
|
|
public bool MfaRequired { get; set; } = true;
|
|
public string MfaToken { get; set; } = null!;
|
|
public int ExpiresIn { get; set; }
|
|
}
|
|
|
|
public class MfaLoginRequest
|
|
{
|
|
public string MfaToken { get; set; } = null!;
|
|
public string Code { get; set; } = null!;
|
|
}
|