dragonflight/services/mam-api/src/auth/mfa-tickets.js

// Short-lived MFA tickets bridging the two login steps.
//
// When a user with TOTP enabled passes password auth, we don't create a session
// yet — we hand back an opaque ticket. The second request (code or recovery
// code) redeems the ticket to finish login. Tickets are single-use and expire
// fast so a stolen ticket is near-useless.
//
// In-memory + single-instance, matching the existing login rate-limiter
// (auth/rate-limit.js). Documented limitation: in a multi-instance deployment
// the second step must hit the same node. Acceptable for Dragonflight's
// one-mam-api-per-node shape; revisit if that changes.
import { randomBytes } from 'node:crypto';

const TTL_MS = 5 * 60 * 1000; // 5 minutes to enter a code
const tickets = new Map();     // id -> { userId, expiresAt }

function sweep() {
  const now = Date.now();
  for (const [id, t] of tickets) if (t.expiresAt <= now) tickets.delete(id);
}

export function issueTicket(userId) {
  sweep();
  const id = randomBytes(32).toString('hex');
  tickets.set(id, { userId, expiresAt: Date.now() + TTL_MS });
  return id;
}

// Redeem (and consume) a ticket. Returns the userId, or null if missing/expired.
export function redeemTicket(id) {
  if (!id) return null;
  const t = tickets.get(id);
  if (!t) return null;
  tickets.delete(id); // single-use
  if (t.expiresAt <= Date.now()) return null;
  return t.userId;
}
feat(mam-api,web-ui): TOTP two-factor authentication Optional time-based 2FA on top of password login. TOTP core is hand-rolled on node:crypto (RFC 6238) — no runtime dep — and verified against the RFC test vectors. - migration 027: users.totp_secret/totp_enabled + user_recovery_codes - src/auth/totp.js: base32, secret gen, RFC 6238 verify, otpauth URI, recovery codes - src/auth/mfa-tickets.js: short-lived single-use tickets bridging the two login steps (in-memory, single-instance like the rate-limiter) - auth routes: /totp/setup, /totp/enable (returns recovery codes once), /totp/disable (password-confirmed); login returns {mfa_required, ticket} when enabled, /login/totp completes with a code or recovery code - /auth/me and loadUser surface totp_enabled - web-ui: login second-factor step; Settings -> Account TOTP enroll (QR + manual secret + recovery codes + disable) - qrcode added as an optional dep; setup degrades to manual entry if absent - tests: totp unit (RFC vectors) + integration (enable/login/recovery/disable) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-29 22:42:57 -04:00			`// Short-lived MFA tickets bridging the two login steps.`
			`//`
			`// When a user with TOTP enabled passes password auth, we don't create a session`
			`// yet — we hand back an opaque ticket. The second request (code or recovery`
			`// code) redeems the ticket to finish login. Tickets are single-use and expire`
			`// fast so a stolen ticket is near-useless.`
			`//`
			`// In-memory + single-instance, matching the existing login rate-limiter`
			`// (auth/rate-limit.js). Documented limitation: in a multi-instance deployment`
			`// the second step must hit the same node. Acceptable for Dragonflight's`
			`// one-mam-api-per-node shape; revisit if that changes.`
			`import { randomBytes } from 'node:crypto';`

			`const TTL_MS = 5 * 60 * 1000; // 5 minutes to enter a code`
			`const tickets = new Map(); // id -> { userId, expiresAt }`

			`function sweep() {`
			`const now = Date.now();`
			`for (const [id, t] of tickets) if (t.expiresAt <= now) tickets.delete(id);`
			`}`

			`export function issueTicket(userId) {`
			`sweep();`
			`const id = randomBytes(32).toString('hex');`
			`tickets.set(id, { userId, expiresAt: Date.now() + TTL_MS });`
			`return id;`
			`}`

			`// Redeem (and consume) a ticket. Returns the userId, or null if missing/expired.`
			`export function redeemTicket(id) {`
			`if (!id) return null;`
			`const t = tickets.get(id);`
			`if (!t) return null;`
			`tickets.delete(id); // single-use`
			`if (t.expiresAt <= Date.now()) return null;`
			`return t.userId;`
			`}`