dragonflight/services/mam-api/src/db/migrations/027-totp-2fa.sql

-- Migration 027 — TOTP two-factor auth.
--
-- totp_secret holds the base32 shared secret once enrollment is confirmed
-- (NULL while disabled or mid-enrollment). totp_enabled flips true only after
-- the user verifies their first code, so a half-finished enrollment never locks
-- anyone out. Recovery codes are one-time bcrypt-hashed fallbacks; used_at marks
-- a code as spent.

ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_secret  TEXT;
ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_enabled BOOLEAN NOT NULL DEFAULT FALSE;

CREATE TABLE IF NOT EXISTS user_recovery_codes (
  id         UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
  user_id    UUID NOT NULL REFERENCES users ON DELETE CASCADE,
  code_hash  TEXT NOT NULL,
  used_at    TIMESTAMPTZ,
  created_at TIMESTAMPTZ DEFAULT NOW()
);

CREATE INDEX IF NOT EXISTS idx_user_recovery_codes_user ON user_recovery_codes(user_id);
feat(mam-api,web-ui): TOTP two-factor authentication Optional time-based 2FA on top of password login. TOTP core is hand-rolled on node:crypto (RFC 6238) — no runtime dep — and verified against the RFC test vectors. - migration 027: users.totp_secret/totp_enabled + user_recovery_codes - src/auth/totp.js: base32, secret gen, RFC 6238 verify, otpauth URI, recovery codes - src/auth/mfa-tickets.js: short-lived single-use tickets bridging the two login steps (in-memory, single-instance like the rate-limiter) - auth routes: /totp/setup, /totp/enable (returns recovery codes once), /totp/disable (password-confirmed); login returns {mfa_required, ticket} when enabled, /login/totp completes with a code or recovery code - /auth/me and loadUser surface totp_enabled - web-ui: login second-factor step; Settings -> Account TOTP enroll (QR + manual secret + recovery codes + disable) - qrcode added as an optional dep; setup degrades to manual entry if absent - tests: totp unit (RFC vectors) + integration (enable/login/recovery/disable) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-29 22:42:57 -04:00			`-- Migration 027 — TOTP two-factor auth.`
			`--`
			`-- totp_secret holds the base32 shared secret once enrollment is confirmed`
			`-- (NULL while disabled or mid-enrollment). totp_enabled flips true only after`
			`-- the user verifies their first code, so a half-finished enrollment never locks`
			`-- anyone out. Recovery codes are one-time bcrypt-hashed fallbacks; used_at marks`
			`-- a code as spent.`

			`ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_secret TEXT;`
			`ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_enabled BOOLEAN NOT NULL DEFAULT FALSE;`

			`CREATE TABLE IF NOT EXISTS user_recovery_codes (`
			`id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),`
			`user_id UUID NOT NULL REFERENCES users ON DELETE CASCADE,`
			`code_hash TEXT NOT NULL,`
			`used_at TIMESTAMPTZ,`
			`created_at TIMESTAMPTZ DEFAULT NOW()`
			`);`

			`CREATE INDEX IF NOT EXISTS idx_user_recovery_codes_user ON user_recovery_codes(user_id);`