bedita · didoda · Apr 9, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/config/app_local.example.php b/config/app_local.example.php
@@ -378,6 +378,14 @@
     //     'clientSecret' => '####',
     // ],
 
+    /**
+     * OTP authentication setup
+     */
+    // 'Otp' => [
+    //     'send' => '/otp',
+    //     'users_skip_otp' => [], // array of usernames to skip OTP authentication
+    // ],
+
     /**
      * Pagination default settings
      *

diff --git a/config/routes.php b/config/routes.php
@@ -85,6 +85,18 @@
         ['_name' => 'login:oauth2'],
     );
 
+    // OTP.
+    $routes->connect(
+        '/otp',
+        ['controller' => 'Login', 'action' => 'otp'],
+        ['_name' => 'otp'],
+    );
+    $routes->connect(
+        '/otp/verify',
+        ['controller' => 'Login', 'action' => 'otpVerify'],
+        ['_name' => 'otp:verify'],
+    );
+
     // Dashboard.
     $routes->connect(
         '/',

diff --git a/locales/default.pot b/locales/default.pot
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: BEdita 4 \n"
-"POT-Creation-Date: 2026-03-17 12:07:36 \n"
+"POT-Creation-Date: 2026-03-24 09:17:38 \n"
 "MIME-Version: 1.0 \n"
 "Content-Transfer-Encoding: 8bit \n"
 "Language-Team: BEdita I18N & I10N Team \n"
@@ -118,6 +118,9 @@ msgstr ""
 msgid "Calendar"
 msgstr ""
 
+msgid "Calendar view"
+msgstr ""
+
 msgid "Cannot create abstract objects or objects without schema"
 msgstr ""
 
@@ -325,6 +328,9 @@ msgstr ""
 msgid "External Auth"
 msgstr ""
 
+msgid "Failed to send OTP code. Please try again later."
+msgstr ""
+
 msgid "Failed to write file to disk"
 msgstr ""
 
@@ -606,6 +612,9 @@ msgstr ""
 msgid "Number of updated objects"
 msgstr ""
 
+msgid "OTP code is expired or invalid"
+msgstr ""
+
 msgid "Object Types"
 msgstr ""
 
@@ -642,6 +651,9 @@ msgstr ""
 msgid "On"
 msgstr ""
 
+msgid "One Time Password"
+msgstr ""
+
 msgid "Only my contents"
 msgstr ""
 
@@ -792,6 +804,9 @@ msgstr ""
 msgid "Request password"
 msgstr ""
 
+msgid "Resend OTP"
+msgstr ""
+
 msgid "Reset"
 msgstr ""
 
@@ -1011,6 +1026,9 @@ msgstr ""
 msgid "Verified"
 msgstr ""
 
+msgid "Verify"
+msgstr ""
+
 msgid "Version"
 msgstr ""
 

diff --git a/locales/en_US/default.po b/locales/en_US/default.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: BEdita Manager \n"
-"POT-Creation-Date: 2026-03-17 12:07:36 \n"
+"POT-Creation-Date: 2026-03-24 09:17:38 \n"
 "PO-Revision-Date:  \n"
 "Last-Translator:  \n"
 "Language-Team: BEdita I18N & I10N Team \n"
@@ -121,6 +121,9 @@ msgstr ""
 msgid "Calendar"
 msgstr ""
 
+msgid "Calendar view"
+msgstr ""
+
 msgid "Cannot create abstract objects or objects without schema"
 msgstr ""
 
@@ -328,6 +331,9 @@ msgstr ""
 msgid "External Auth"
 msgstr ""
 
+msgid "Failed to send OTP code. Please try again later."
+msgstr ""
+
 msgid "Failed to write file to disk"
 msgstr ""
 
@@ -609,6 +615,9 @@ msgstr ""
 msgid "Number of updated objects"
 msgstr ""
 
+msgid "OTP code is expired or invalid"
+msgstr ""
+
 msgid "Object Types"
 msgstr ""
 
@@ -645,6 +654,9 @@ msgstr ""
 msgid "On"
 msgstr ""
 
+msgid "One Time Password"
+msgstr ""
+
 msgid "Only my contents"
 msgstr ""
 
@@ -795,6 +807,9 @@ msgstr ""
 msgid "Request password"
 msgstr ""
 
+msgid "Resend OTP"
+msgstr ""
+
 msgid "Reset"
 msgstr ""
 
@@ -1014,6 +1029,9 @@ msgstr ""
 msgid "Verified"
 msgstr ""
 
+msgid "Verify"
+msgstr ""
+
 msgid "Version"
 msgstr ""
 

diff --git a/locales/it_IT/default.po b/locales/it_IT/default.po
@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: BEdita Manager \n"
-"POT-Creation-Date: 2026-03-17 12:07:36 \n"
+"POT-Creation-Date: 2026-03-24 09:17:38 \n"
 "PO-Revision-Date:  \n"
 "Last-Translator:  \n"
 "Language-Team: BEdita I18N & I10N Team \n"
@@ -123,6 +123,9 @@ msgstr "Operazione massiva eseguita su {0} oggetti"
 msgid "Calendar"
 msgstr "Calendario"
 
+msgid "Calendar view"
+msgstr "Vista calendario"
+
 msgid "Cannot create abstract objects or objects without schema"
 msgstr "Impossibile creare oggetti astratti o oggetti senza schema"
 
@@ -330,6 +333,9 @@ msgstr "Esporta Filtrati"
 msgid "External Auth"
 msgstr "Autenticazioni esterne"
 
+msgid "Failed to send OTP code. Please try again later."
+msgstr "Invio codice OTP fallito. Riprova più tardi."
+
 msgid "Failed to write file to disk"
 msgstr "Scrittura file su disco fallita"
 
@@ -614,6 +620,9 @@ msgstr "Numero di errori di accesso"
 msgid "Number of updated objects"
 msgstr "Numero di oggetti aggiornati"
 
+msgid "OTP code is expired or invalid"
+msgstr "Codice OTP scaduto o non valido"
+
 msgid "Object Types"
 msgstr "Tipi di Oggetto"
 
@@ -650,6 +659,9 @@ msgstr "Vecchia Password"
 msgid "On"
 msgstr ""
 
+msgid "One Time Password"
+msgstr "Codice monouso"
+
 msgid "Only my contents"
 msgstr "Solo i miei contenuti"
 
@@ -802,6 +814,9 @@ msgstr "Rimuovi"
 msgid "Request password"
 msgstr "Reimposta password"
 
+msgid "Resend OTP"
+msgstr "Invia nuovamente OTP"
+
 msgid "Reset"
 msgstr "Resetta"
 
@@ -1024,6 +1039,9 @@ msgstr "Partita Iva"
 msgid "Verified"
 msgstr "Verificato"
 
+msgid "Verify"
+msgstr "Verifica"
+
 msgid "Version"
 msgstr "Versione"
 

diff --git a/src/Application.php b/src/Application.php
@@ -1,4 +1,6 @@
 <?php
+declare(strict_types=1);
+
 /**
  * BEdita, API-first content management framework
  * Copyright 2022 ChannelWeb Srl, Chialab Srl
@@ -15,6 +17,7 @@
 use App\Event\TreeCacheEventHandler;
 use App\Identifier\ApiIdentifier;
 use App\Middleware\ConfigurationMiddleware;
+use App\Middleware\OtpMiddleware;
 use App\Middleware\ProjectMiddleware;
 use App\Middleware\RecoveryMiddleware;
 use App\Middleware\StatusMiddleware;
@@ -153,6 +156,9 @@ public function middleware($middlewareQueue): MiddlewareQueue
             // Authentication middleware.
             ->add(new AuthenticationMiddleware($this))
 
+            // Otp middleware.
+            ->add(new OtpMiddleware())
+
             // Authentication middleware.
             ->add(new OAuth2Middleware())