benya/Messenger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth(2fa): add one-time recovery codes with regenerate/status APIs
All checks were successful
CI / test (push) Successful in 40s
Details

Browse Source
This commit is contained in:
Alex
2026-03-08 19:16:15 +03:00
parent f91a6493ff
commit fb812c9a39
10 changed files with 320 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/api-reference.md
View File

@@ -93,11 +93,13 @@ For `/health/ready` failure:
{
"email": "user@example.com",
"password": "strongpassword",
"otp_code": "123456"
"otp_code": "123456",
"recovery_code": "ABCDE-12345"
}
```
`otp_code` is optional and used only when 2FA is enabled.
`otp_code` is optional and used when 2FA is enabled.
`recovery_code` is optional one-time fallback when 2FA is enabled.
### TokenResponse
@@ -577,6 +579,36 @@ Body:
Response: `200` + `MessageResponse`
### POST `/api/v1/auth/2fa/recovery-codes/regenerate`
Auth required.
Body:
```json
{ "code": "123456" }
```
Response:
```json
{
"codes": ["ABCDE-12345", "FGHIJ-67890"]
}
```
Codes are one-time and shown only at generation time.
### GET `/api/v1/auth/2fa/recovery-codes/status`
Auth required.
Response:
```json
{
"remaining_codes": 8
}
```
## 6. Users endpoints
### GET `/api/v1/users/me`

2
docs/core-checklist-status.md
View File

@@ -38,7 +38,7 @@ Legend:
29. Archive - `DONE`
30. Blacklist - `DONE`
31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; policy behavior covered by integration tests, remaining UX/matrix hardening)
32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; 2FA setup now blocked after enable to prevent secret re-issuance; UX/TOTP recovery flow ongoing)
32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added; UX polish ongoing)
33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates)
34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel now hot-refreshes on `chat_updated`)
35. Additional - `PARTIAL` (drafts/link preview partial/autoload media basic)