azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 16:21:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6e1e147562d18413d0a4f9f38b80933df1e7a415
admin/Azaion.Common/Entities/User.cs
T
Oleksandr Bezdieniezhnykh 1e1ded73f5
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-534] TOTP-based 2FA at credential login 
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.

- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
  azaion-mfa-step2) when the user has MFA enabled; real access+refresh
  pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
  (purpose=Azaion.Mfa.Secret.v1; key folder configurable via
  DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
  SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
  amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
  recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
  sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
  in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
  avoid LinqToDB null-literal type-inference on jsonb columns.

E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 06:21:28 +03:00

52 lines
1.7 KiB
C#
Raw Blame History

using System.Text.Json.Serialization;
namespace Azaion.Common.Entities;
public class User
{
public Guid Id { get; set; }
public string Email { get; set; } = null!;
[JsonIgnore]
public string PasswordHash { get; set; } = null!;
public string? Hardware { get; set; }
public RoleEnum Role { get; set; }
public DateTime CreatedAt { get; set; }
public DateTime? LastLogin { get; set; }
public UserConfig? UserConfig { get; set; } = null!;
public bool IsEnabled { get; set; }
// AZ-537 — consecutive failed-login counter and active lockout deadline.
public int FailedLoginCount { get; set; }
public DateTime? LockoutUntil { get; set; }
// AZ-534 — TOTP-based 2FA. mfa_secret is encrypted at rest; recovery codes are
// stored as a JSONB array of { hash, used_at } objects. mfa_last_used_window
// is the RFC 6238 time-step counter of the most recently accepted code,
// used to reject in-window replays.
[JsonIgnore]
public bool MfaEnabled { get; set; }
[JsonIgnore]
public string? MfaSecret { get; set; }
[JsonIgnore]
public string? MfaRecoveryCodes { get; set; }
public DateTime? MfaEnrolledAt { get; set; }
[JsonIgnore]
public long? MfaLastUsedWindow { get; set; }
public static string GetCacheKey(string email) =>
string.IsNullOrEmpty(email) ? "" : $"{nameof(User)}.{email}";
}
public class UserConfig
{
public UserQueueOffsets? QueueOffsets { get; set; } = new();
}
public class UserQueueOffsets
{
public ulong AnnotationsOffset { get; set; }
public ulong AnnotationsConfirmOffset { get; set; }
public ulong AnnotationsCommandsOffset { get; set; }
}
Reference in New Issue View Git Blame Copy Permalink