WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 31 Pull requests 7 Projects Releases Packages Wiki Activity Actions
dragonflight/services/mam-api/src/routes
History
Zac fff0828d79 feat(mam-api,web-ui): TOTP two-factor authentication 
Optional time-based 2FA on top of password login. TOTP core is hand-rolled
on node:crypto (RFC 6238) — no runtime dep — and verified against the RFC
test vectors.

- migration 027: users.totp_secret/totp_enabled + user_recovery_codes
- src/auth/totp.js: base32, secret gen, RFC 6238 verify, otpauth URI,
  recovery codes
- src/auth/mfa-tickets.js: short-lived single-use tickets bridging the two
  login steps (in-memory, single-instance like the rate-limiter)
- auth routes: /totp/setup, /totp/enable (returns recovery codes once),
  /totp/disable (password-confirmed); login returns {mfa_required, ticket}
  when enabled, /login/totp completes with a code or recovery code
- /auth/me and loadUser surface totp_enabled
- web-ui: login second-factor step; Settings -> Account TOTP enroll (QR +
  manual secret + recovery codes + disable)
- qrcode added as an optional dep; setup degrades to manual entry if absent
- tests: totp unit (RFC vectors) + integration (enable/login/recovery/disable)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 02:42:57 +00:00
..
ampp.js feat: AMPP folder sync integration — pre-create folder hierarchy on upload, expose lookup endpoint for Script Task: ampp.js 2026-04-18 13:42:08 -04:00
assets.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
auth.js feat(mam-api,web-ui): TOTP two-factor authentication 2026-05-30 02:42:57 +00:00
bins.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
capture.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
cluster.js fix: use external MAM_API_URL for remote capture sidecars; add cluster metrics endpoint and dashboard resource graphs 2026-05-29 01:04:24 +00:00
comments.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
groups.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
imports.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
jobs.js fix(uxp+mam-api): Export Timeline render — xmeml schema + BullMQ job poll 2026-05-28 13:58:13 -04:00
metrics.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
projects.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
recorders.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
schedules.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
sdk.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
sequences.js feat(mam-api,web-ui): per-project RBAC (v2 auth layer) 2026-05-30 02:37:36 +00:00
settings.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
storage.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
system.js rip out entire auth/login flow 2026-05-27 03:39:58 +00:00
tokens.js feat(auth): bound-hostname tokens for node-agent + return role from /me 2026-05-27 19:27:59 -04:00
upload.js chore: 1.2 ship-prep sweep — close 38 issues 2026-05-27 02:06:14 +00:00
users.js fix(auth): final-review integration fixes — Users page alias + PATCH, CSRF on uploads + heartbeat, drop .bak 2026-05-27 15:42:42 -04:00