90750ee8df
* Initial plan * Fix security vulnerabilities: MD5→SHA-256, XSS via dangerouslySetInnerHTML/innerHTML, insecure randomness, CodeQL config Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> * Clean up README: remove decorative emojis for a professional tone Remove all emojis from section headers, list item prefixes, and decorative positions. Replace ✅ phase status markers with '(Complete)' text. Keep the ⭐ in the final call-to-action line. No changes to links, badges, code blocks, or technical content. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: remove emoji characters from CONTRIBUTING.md Remove all emoji from section headers and closing line while preserving links, code blocks, and technical content. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: remove emoji characters from documentation files Remove all emoji characters from 8 documentation files in docs/. Replace status-marker checkmarks (✅) with '(Done)' text. Remove decorative emojis from headers and body text entirely. Preserve emojis inside code blocks unchanged. Clean up trailing whitespace introduced by removals. Files modified: - DEPLOYMENT_GUIDE.md - IMPLEMENTATION_PLAN.md - MILESTONE_6_SUMMARY.md - PRODUCTION_ROADMAP.md - PROJECT_STATUS.md - REPOSITORY_ENHANCEMENT.md - ROADMAP.md - SECURITY_AUDIT_ROADMAP.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: remove emoji characters from documentation files Remove all emoji characters from 9 markdown files while preserving code block content (box-drawing characters, indentation). Emojis removed from headers, list items, and body text across READMEs, issue templates, PR template, runbook, and mobile docs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Remove excessive emoji from all documentation for professional presentation Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> * Fix PluginWidget initial state and remove || true from security audit steps Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> * Remediate all failing CI checks: update deprecated actions, fix npm vulnerabilities, fix migrations YAML Co-authored-by: SynOSdev <257853113+SynOSdev@users.noreply.github.com> * Fix all remaining CI failures: Node 18→20, fix test API contract, fix pytest version, fix Postgres health checks Co-authored-by: SynOSdev <257853113+SynOSdev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: TLimoges33 <125313326+TLimoges33@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: SynOSdev <257853113+SynOSdev@users.noreply.github.com>
24 lines
1004 B
Markdown
24 lines
1004 B
Markdown
Frontend 2FA UX
|
|
|
|
This backend supports TOTP-based 2FA and one-time recovery codes.
|
|
|
|
Key flows:
|
|
|
|
- Admin-assisted signup + setup
|
|
- After creating a user via the backend while logged in as admin, an alternate cookie `session_alt` will be set.
|
|
- Use this cookie when calling 2FA endpoints to configure TOTP for the new account without logging the admin out.
|
|
|
|
- TOTP setup
|
|
1) POST /api/v1/auth/2fa/setup
|
|
- Show the `otpauth_uri` QR and the plaintext `recovery_codes` once.
|
|
2) After the user scans the QR in an authenticator, prompt for a 6-digit code.
|
|
3) POST /api/v1/auth/2fa/enable with `{ code }`.
|
|
|
|
- Login with 2FA
|
|
- If the login response indicates 2FA is required (401 with detail), ask the user for their TOTP code and retry including `totp_code`.
|
|
- Provide an option to use a recovery code; if used successfully, it is consumed and cannot be used again.
|
|
|
|
Notes
|
|
|
|
- Recovery codes are displayed only once during setup. Store them securely.
|
|
- Logout should clear both `session` and `session_alt`. |