Skip to content

feat(auth): add optional TOTP two-factor authentication#47

Open
threehappypenguins wants to merge 2 commits into
datarhei:mainfrom
threehappypenguins:main
Open

feat(auth): add optional TOTP two-factor authentication#47
threehappypenguins wants to merge 2 commits into
datarhei:mainfrom
threehappypenguins:main

Conversation

@threehappypenguins

Copy link
Copy Markdown

Summary

Adds optional TOTP (time-based one-time password) as a second factor for the single local login account.

  • New auth/totp package persists enrollment and device trust in db.dir (totp.json, totp_trust.json)
  • Login accepts totp_code, device_trust_token, and remember_device (30d | 1y)
  • New JWT-protected API endpoints: GET/DELETE /api/v3/auth/totp, POST /api/v3/auth/totp/setup, POST /api/v3/auth/totp/enable
  • totp_required exposed on API about/discovery responses
  • Swagger docs regenerated; recovery guide added in docs/TOTP.md
  • .gitignore updated to exclude local runtime files under config/

TOTP applies only to local username/password auth, not Auth0.

Test plan

  • make test passes
  • Enable TOTP via API or UI; login requires password + code
  • “Remember device” skips TOTP until expiry on the same browser
  • Disable TOTP with a valid code
  • Recovery: delete totp.json (+ optional totp_trust.json) in db.dir, restart Core, log in with password only
  • Confirm Auth0 login (if configured) is unchanged and does not require TOTP

@threehappypenguins threehappypenguins marked this pull request as ready for review July 9, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant