feat(auth): add TOTP 2FA setup and login verification

- add user twofa fields and migration - add 2FA setup/enable/disable endpoints - enforce OTP on login when 2FA enabled - add web login OTP field and settings UI
2026-03-08 11:43:51 +03:00
parent e685a38be6
commit 27d3340a37
12 changed files with 287 additions and 7 deletions
--- a/app/auth/service.py
+++ b/app/auth/service.py
@@ -30,6 +30,7 @@ from app.database.session import get_db
 from app.email.service import EmailDeliveryError, EmailService, get_email_service
 from app.users.models import User
 from app.users.repository import create_user, get_user_by_email, get_user_by_id, get_user_by_username
+from app.utils.totp import build_otpauth_uri, generate_totp_secret, verify_totp_code
 from app.utils.security import (
    create_access_token,
    create_refresh_token,
@@ -132,6 +133,11 @@ async def login_user(

    if not user.email_verified:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Email not verified")
+    if user.twofa_enabled:
+        if not payload.otp_code:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="2FA code required")
+        if not user.twofa_secret or not verify_totp_code(user.twofa_secret, payload.otp_code):
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid 2FA code")

    refresh_jti = str(uuid4())
    refresh_token = create_refresh_token(str(user.id), jti=refresh_jti)
@@ -215,6 +221,43 @@ def get_request_metadata(request: Request) -> tuple[str | None, str | None]:
    return ip_address, user_agent


+async def setup_twofa(db: AsyncSession, user: User) -> tuple[str, str]:
+    if user.twofa_enabled and user.twofa_secret:
+        secret = user.twofa_secret
+    else:
+        secret = generate_totp_secret()
+        user.twofa_secret = secret
+        await db.commit()
+        await db.refresh(user)
+    otpauth_url = build_otpauth_uri(secret=secret, account_name=user.email, issuer=settings.app_name)
+    return secret, otpauth_url
+
+
+async def enable_twofa(db: AsyncSession, user: User, *, code: str) -> None:
+    if not user.twofa_secret:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="2FA is not initialized")
+    if not verify_totp_code(user.twofa_secret, code):
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid 2FA code")
+    user.twofa_enabled = True
+    await db.commit()
+    await db.refresh(user)
+
+
+async def disable_twofa(db: AsyncSession, user: User, *, code: str) -> None:
+    if not user.twofa_enabled or not user.twofa_secret:
+        user.twofa_enabled = False
+        user.twofa_secret = None
+        await db.commit()
+        await db.refresh(user)
+        return
+    if not verify_totp_code(user.twofa_secret, code):
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid 2FA code")
+    user.twofa_enabled = False
+    user.twofa_secret = None
+    await db.commit()
+    await db.refresh(user)
+
+
 async def request_password_reset(
    db: AsyncSession,
    payload: RequestPasswordResetRequest,