madbase/.trae/documents/plan_20260311_230143.md

Implement MFA (TOTP) Support

I will implement Time-based One-Time Password (TOTP) multi-factor authentication, moving further into Phase 5 of the roadmap.

1. Schema Changes

• New Table: auth.mfa_factors to store MFA secrets and status.
  • Columns: id, user_id, factor_type (e.g., 'totp'), secret, status ('unverified', 'verified'), created_at, updated_at.
• Migration: Create a new SQL migration file for this table.

2. Dependencies

• Crate: Add totp-rs to auth/Cargo.toml with qr feature for generating QR codes.

3. Implementation (auth service)

• New Module: auth/src/mfa.rs.
• Endpoints:
  • POST /auth/v1/mfa/enroll: Generates a new TOTP secret and returns it (plus QR code). Creates an unverified factor.
  • POST /auth/v1/mfa/verify: Accepts a code and the factor ID. Verifies the code. If correct, marks factor as verified.
  • POST /auth/v1/mfa/challenge: (Optional for MVP) Verifies a code for a verified factor to grant access.

Execution Steps

1. Add Dependency: Update auth/Cargo.toml.
2. Create Migration: Add the SQL file in migrations/.
3. Implement Logic: Create auth/src/mfa.rs with enrollment and verification logic.
4. Register Routes: Update auth/src/lib.rs to include the new MFA endpoints.
5. Update Roadmap: Mark MFA as completed.