Feat/be 13 two factor authentication#1014
Merged
yusuftomilola merged 2 commits intoJun 26, 2026
Merged
Conversation
|
@warisu is attempting to deploy a commit to the naijabuz's projects Team on Vercel. A member of the Team first needs to authorize it. |
yusuftomilola
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements Time-based One-Time Password (TOTP) two-factor authentication (2FA) to strengthen account security. Users can now configure an authenticator application, enable or disable 2FA, and complete login using a secondary verification step when 2FA is enabled.
Changes
User Entity & Persistence
twoFactorSecretfield to the User entity.Two-Factor Authentication
POST /auth/2fa/setupto generate TOTP secrets and QR codes for authenticator apps.POST /auth/2fa/enableto verify initial TOTP setup and activate 2FA.POST /auth/2fa/disableto securely disable 2FA after code verification.POST /auth/2fa/authenticateto complete the second authentication step and issue access tokens.Authentication Flow
Updated login flow to support conditional 2FA authentication.
Users with 2FA enabled now receive:
{ "requiresTwoFactor": true, "tempToken": "..." }instead of immediate access and refresh tokens.
Added temporary authentication token generation and validation.
Added final token exchange flow after successful TOTP verification.
Security
Testing
Acceptance Criteria Covered
twoFactorSecretfield to User entityPOST /auth/2fa/setupPOST /auth/2fa/enablePOST /auth/2fa/disablePOST /auth/2fa/authenticatePOST /auth/loginto support 2FA challenge flowRelated Issue
Closes #886
Closes #878