26 lines
1.4 KiB
Markdown
26 lines
1.4 KiB
Markdown
# Implement MFA (TOTP) Support
|
|
|
|
I will implement **Time-based One-Time Password (TOTP)** multi-factor authentication, moving further into **Phase 5** of the roadmap.
|
|
|
|
## 1. Schema Changes
|
|
- **New Table**: `auth.mfa_factors` to store MFA secrets and status.
|
|
- Columns: `id`, `user_id`, `factor_type` (e.g., 'totp'), `secret`, `status` ('unverified', 'verified'), `created_at`, `updated_at`.
|
|
- **Migration**: Create a new SQL migration file for this table.
|
|
|
|
## 2. Dependencies
|
|
- **Crate**: Add `totp-rs` to `auth/Cargo.toml` with `qr` feature for generating QR codes.
|
|
|
|
## 3. Implementation (`auth` service)
|
|
- **New Module**: `auth/src/mfa.rs`.
|
|
- **Endpoints**:
|
|
- `POST /auth/v1/mfa/enroll`: Generates a new TOTP secret and returns it (plus QR code). Creates an `unverified` factor.
|
|
- `POST /auth/v1/mfa/verify`: Accepts a code and the factor ID. Verifies the code. If correct, marks factor as `verified`.
|
|
- `POST /auth/v1/mfa/challenge`: (Optional for MVP) Verifies a code for a verified factor to grant access.
|
|
|
|
## Execution Steps
|
|
1. **Add Dependency**: Update `auth/Cargo.toml`.
|
|
2. **Create Migration**: Add the SQL file in `migrations/`.
|
|
3. **Implement Logic**: Create `auth/src/mfa.rs` with enrollment and verification logic.
|
|
4. **Register Routes**: Update `auth/src/lib.rs` to include the new MFA endpoints.
|
|
5. **Update Roadmap**: Mark MFA as completed.
|