Skip to content

feat: implement two-factor authentication (#399)#473

Open
abrak01 wants to merge 1 commit intorinafcode:mainfrom
abrak01:feat/two-factor-auth-399
Open

feat: implement two-factor authentication (#399)#473
abrak01 wants to merge 1 commit intorinafcode:mainfrom
abrak01:feat/two-factor-auth-399

Conversation

@abrak01
Copy link
Copy Markdown
Contributor

@abrak01 abrak01 commented Apr 28, 2026

  • Add TOTP generation and verification via otplib (±1 window for clock drift)
  • Add QR code generation via qrcode for authenticator app setup
  • Add 8 one-time backup codes with bcrypt hashing and single-use consumption
  • Add MfaService with setup, confirm, verify, and disable flows
  • Add MFA DTOs (ConfirmMfaDto, VerifyMfaDto, DisableMfaDto)
  • Add mfaEnabled, mfaSecret, mfaBackupCodes fields to User entity
  • Add updateMfa() to UsersService
  • Add POST /auth/mfa/setup, /mfa/confirm, /mfa/verify, DELETE /auth/mfa/disable endpoints
  • Wire MfaService into AuthModule
  • Audit log MFA_ENABLED, MFA_DISABLED, MFA_FAILED events
  • Add 12 unit tests covering TOTP and backup code utilities

Linked Issue

Closes #N

What does this PR do?

Type of change

  • ✨ New feature (non-breaking change that adds functionality)
  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • 💥 Breaking change (fix or feature that changes existing API behaviour)
  • ♻️ Refactor (no functional change, no new feature)
  • 🧪 Tests only (no production code changes)
  • 📝 Documentation only
  • 🔧 Chore (build, dependencies, CI config)

Pre-merge checklist (required)

Do not remove items. Unchecked items without an explanation will block merge.

Branch & metadata

  • Branch name follows feature/issue-<N>-<slug> / fix/issue-<N>-<slug> convention
  • Branch is up to date with the target branch (develop or main)
  • All commits and the PR title follow the Conventional Commits format with issue reference

Code quality & tests

  • npm run lint:ci — zero ESLint warnings
  • npm run format:check — Prettier reports no changes needed
  • npm run typecheck — zero TypeScript errors
  • npm run test:ci — all tests pass, coverage ≥ 70%
  • New service methods have corresponding .spec.ts unit tests
  • New API endpoints are covered by at least one e2e test
  • No existing tests were deleted (if any were, justification is provided in the PR description)

Error handling & NestJS best practices

  • All new/updated DTOs use class-validator / class-transformer decorators and are wired through NestJS pipes (e.g. global ValidationPipe or explicit)
  • All controller entry points validate external input at the boundary (no unvalidated raw any/unknown reaching the domain)
  • Controllers/services throw appropriate NestJS HTTP exceptions (e.g. BadRequestException, UnauthorizedException, ForbiddenException, NotFoundException) instead of generic Error
  • Any new error shapes are handled by existing exception filters or the filters have been updated accordingly
  • Logging goes through the shared logging abstraction (e.g. Nest Logger or central logger service) with meaningful, structured messages
  • Authentication/authorization guards (e.g. AuthGuard, role/permissions guards, custom guards) are applied to all new/modified endpoints where appropriate
  • If an endpoint is intentionally public, this is explicitly mentioned in the PR description with rationale

API documentation / Swagger

  • Swagger / OpenAPI decorators are added or updated for all new/changed controller endpoints (including DTOs, responses, and error schemas)
  • I have started the app locally and confirmed the /api (or Swagger UI) reflects new/changed endpoints correctly
  • If there are no API surface changes, this is explicitly stated in the PR description

Breaking changes

  • This PR does not introduce a breaking API change
  • OR: this PR introduces a breaking change and it is documented below, with migration notes

Breaking change description (if applicable)

Test evidence (required)

Commands run locally

# Example (edit as needed)
npm run lint:ci
npm run format:check
npm run typecheck
npm run test:ci

Manual / API verification

# Example: describe manual tests, curl commands, or Postman collections used

Screenshots / recordings (if applicable)

Closes #399

@abrak01
feat: implement two-factor authentication (rinafcode#399)
2335a83 
- Add TOTP generation and verification via otplib (±1 window for clock drift)
- Add QR code generation via qrcode for authenticator app setup
- Add 8 one-time backup codes with bcrypt hashing and single-use consumption
- Add MfaService with setup, confirm, verify, and disable flows
- Add MFA DTOs (ConfirmMfaDto, VerifyMfaDto, DisableMfaDto)
- Add mfaEnabled, mfaSecret, mfaBackupCodes fields to User entity
- Add updateMfa() to UsersService
- Add POST /auth/mfa/setup, /mfa/confirm, /mfa/verify, DELETE /auth/mfa/disable endpoints
- Wire MfaService into AuthModule
- Audit log MFA_ENABLED, MFA_DISABLED, MFA_FAILED events
- Add 12 unit tests covering TOTP and backup code utilities

Closes rinafcode#399
@RUKAYAT-CODER
Copy link
Copy Markdown
Contributor

RUKAYAT-CODER commented Apr 28, 2026

Kindly resolve conflict

@RUKAYAT-CODER
Copy link
Copy Markdown
Contributor

RUKAYAT-CODER commented Apr 29, 2026

kindly resolve conflict
If the package-lock conflicts are messy, resolve package.json first, delete package-lock.json, run npm install to regenerate it, test locally, then pull/rebase before pushing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Two-Factor Authentication

2 participants

@abrak01 @RUKAYAT-CODER