two factor authentication implementation

[Joewizy]

Closes #464

Summary

• Implement TOTP 2FA using Node.js crypto (RFC 6238 compliant, no external deps)
• Add POST /auth/2fa/enable returning secret, otpauth:// URL for QR codes, and 8 backup codes
• Add POST /auth/2fa/verify to activate 2FA after confirming a valid token
• Login flow returns requiresTwoFactor: true when 2FA is active; complete via POST /auth/2fa/validate
• Backup codes are single-use and consumed on login
• Admin endpoint to disable 2FA for locked accounts (role-gated)
• Status check endpoint at GET /auth/2fa/status

Test plan

• Enable 2FA returns secret, otpauth URL, and 8 backup codes
• Verify with valid TOTP token activates 2FA
• Verify with invalid token returns 401
• Login with 2FA enabled returns requiresTwoFactor: true instead of JWT
• Validate with correct TOTP returns JWT
• Validate with backup code returns JWT and consumes the code
• Validate with invalid token returns 401
• Disable 2FA clears secret and backup codes
• Admin disable works for ADMIN role, rejected for USER role
• Clock drift tolerance (±30s) works correctly

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nestera	Ready	Preview, Comment	Mar 29, 2026 11:26am