Add 2FA enforcement and changelog

Author: adrianpk

auth/middleware.go

@@ -84,3 +84,51 @@ func ClearSessionCookie(w http.ResponseWriter) {
 	}
 	http.SetCookie(w, cookie)
 }
+
+// TOTPEnforcement configures 2FA enforcement behavior.
+type TOTPEnforcement struct {
+	Enabled   func() bool
+	GraceDays func() int
+	SetupURL  string
+}
+
+// RequireTOTP is a middleware that enforces 2FA setup.
+// It should be used after RequireAuth.
+func RequireTOTP(cfg TOTPEnforcement) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if cfg.Enabled == nil || !cfg.Enabled() {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			user, ok := GetUser(r.Context())
+			if !ok {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			if user.TOTPEnabled {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			graceDays := 0
+			if cfg.GraceDays != nil {
+				graceDays = cfg.GraceDays()
+			}
+
+			if user.InTOTPGracePeriod(graceDays) {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			setupURL := cfg.SetupURL
+			if setupURL == "" {
+				setupURL = "/totp-setup"
+			}
+
+			http.Redirect(w, r, setupURL, http.StatusSeeOther)
+		})
+	}
+}

auth/middleware_test.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/hatmaxkit/hatmax/config"
 	"github.com/hatmaxkit/hatmax/log"
@@ -227,3 +228,144 @@ func TestClearSessionCookie(t *testing.T) {
 		t.Errorf("ClearSessionCookie() cookie.MaxAge = %v, want -1", cookie.MaxAge)
 	}
 }
+
+func TestRequireTOTP(t *testing.T) {
+	tests := []struct {
+		name         string
+		cfg          TOTPEnforcement
+		user         *User
+		wantStatus   int
+		wantRedirect string
+	}{
+		{
+			name: "enforcement disabled",
+			cfg: TOTPEnforcement{
+				Enabled: func() bool { return false },
+			},
+			user:       &User{TOTPEnabled: false},
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "enforcement nil",
+			cfg:  TOTPEnforcement{},
+			user: &User{TOTPEnabled: false},
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "totp enabled",
+			cfg: TOTPEnforcement{
+				Enabled: func() bool { return true },
+			},
+			user:       &User{TOTPEnabled: true},
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "totp not enabled redirects",
+			cfg: TOTPEnforcement{
+				Enabled:   func() bool { return true },
+				GraceDays: func() int { return 0 },
+			},
+			user:         &User{TOTPEnabled: false},
+			wantStatus:   http.StatusSeeOther,
+			wantRedirect: "/totp-setup",
+		},
+		{
+			name: "custom setup url",
+			cfg: TOTPEnforcement{
+				Enabled:   func() bool { return true },
+				GraceDays: func() int { return 0 },
+				SetupURL:  "/settings/2fa",
+			},
+			user:         &User{TOTPEnabled: false},
+			wantStatus:   http.StatusSeeOther,
+			wantRedirect: "/settings/2fa",
+		},
+		{
+			name: "no user in context passes",
+			cfg: TOTPEnforcement{
+				Enabled: func() bool { return true },
+			},
+			user:       nil,
+			wantStatus: http.StatusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+
+			middleware := RequireTOTP(tt.cfg)
+			wrapped := middleware(handler)
+
+			req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+			if tt.user != nil {
+				ctx := WithUser(req.Context(), tt.user)
+				req = req.WithContext(ctx)
+			}
+
+			w := httptest.NewRecorder()
+			wrapped.ServeHTTP(w, req)
+
+			if w.Code != tt.wantStatus {
+				t.Errorf("RequireTOTP() status = %v, want %v", w.Code, tt.wantStatus)
+			}
+
+			if tt.wantRedirect != "" {
+				location := w.Header().Get("Location")
+				if location != tt.wantRedirect {
+					t.Errorf("RequireTOTP() redirect = %v, want %v", location, tt.wantRedirect)
+				}
+			}
+		})
+	}
+}
+
+func TestRequireTOTPGracePeriod(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	cfg := TOTPEnforcement{
+		Enabled:   func() bool { return true },
+		GraceDays: func() int { return 7 },
+	}
+
+	middleware := RequireTOTP(cfg)
+	wrapped := middleware(handler)
+
+	// User created recently should pass
+	recentUser := &User{
+		TOTPEnabled: false,
+		CreatedAt:   time.Now().AddDate(0, 0, -3),
+	}
+
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	ctx := WithUser(req.Context(), recentUser)
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+	wrapped.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("RequireTOTP() with grace period status = %v, want %v", w.Code, http.StatusOK)
+	}
+
+	// User created long ago should redirect
+	oldUser := &User{
+		TOTPEnabled: false,
+		CreatedAt:   time.Now().AddDate(0, 0, -30),
+	}
+
+	req = httptest.NewRequest(http.MethodGet, "/protected", nil)
+	ctx = WithUser(req.Context(), oldUser)
+	req = req.WithContext(ctx)
+
+	w = httptest.NewRecorder()
+	wrapped.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("RequireTOTP() outside grace period status = %v, want %v", w.Code, http.StatusSeeOther)
+	}
+}

auth/models.go

@@ -4,13 +4,16 @@ import "time"
 
 // User represents an authenticated user in the system.
 type User struct {
-	ID           string
-	Email        string
-	PasswordHash string
-	Roles        []string
-	Active       bool
-	CreatedAt    time.Time
-	UpdatedAt    time.Time
+	ID             string
+	Email          string
+	PasswordHash   string
+	Roles          []string
+	Active         bool
+	TOTPSecret     string
+	TOTPEnabled    bool
+	TOTPVerifiedAt *time.Time
+	CreatedAt      time.Time
+	UpdatedAt      time.Time
 }
 
 // HasRole checks if the user has the specified role.
@@ -33,6 +36,20 @@ func (u *User) HasAnyRole(roles ...string) bool {
 	return false
 }
 
+// NeedsTOTPSetup returns true if the user has not set up TOTP yet.
+func (u *User) NeedsTOTPSetup() bool {
+	return u.TOTPSecret == ""
+}
+
+// InTOTPGracePeriod returns true if the user is within the grace period.
+func (u *User) InTOTPGracePeriod(days int) bool {
+	if days <= 0 {
+		return false
+	}
+	gracePeriodEnd := u.CreatedAt.AddDate(0, 0, days)
+	return time.Now().Before(gracePeriodEnd)
+}
+
 // Session represents a user session.
 type Session struct {
 	ID        string

auth/models_test.go

@@ -1,6 +1,9 @@
 package auth
 
-import "testing"
+import (
+	"testing"
+	"time"
+)
 
 func TestUserHasRole(t *testing.T) {
 	tests := []struct {
@@ -113,3 +116,90 @@ func TestUserHasAnyRole(t *testing.T) {
 		})
 	}
 }
+
+func TestUserNeedsTOTPSetup(t *testing.T) {
+	tests := []struct {
+		name       string
+		totpSecret string
+		want       bool
+	}{
+		{
+			name:       "no secret needs setup",
+			totpSecret: "",
+			want:       true,
+		},
+		{
+			name:       "has secret no setup needed",
+			totpSecret: "JBSWY3DPEHPK3PXP",
+			want:       false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u := &User{TOTPSecret: tt.totpSecret}
+			got := u.NeedsTOTPSetup()
+			if got != tt.want {
+				t.Errorf("NeedsTOTPSetup() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestUserInTOTPGracePeriod(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name      string
+		createdAt time.Time
+		graceDays int
+		want      bool
+	}{
+		{
+			name:      "within grace period",
+			createdAt: now.AddDate(0, 0, -3),
+			graceDays: 7,
+			want:      true,
+		},
+		{
+			name:      "outside grace period",
+			createdAt: now.AddDate(0, 0, -10),
+			graceDays: 7,
+			want:      false,
+		},
+		{
+			name:      "exactly at grace period end",
+			createdAt: now.AddDate(0, 0, -7),
+			graceDays: 7,
+			want:      false,
+		},
+		{
+			name:      "zero grace days",
+			createdAt: now,
+			graceDays: 0,
+			want:      false,
+		},
+		{
+			name:      "negative grace days",
+			createdAt: now,
+			graceDays: -1,
+			want:      false,
+		},
+		{
+			name:      "created today",
+			createdAt: now,
+			graceDays: 7,
+			want:      true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u := &User{CreatedAt: tt.createdAt}
+			got := u.InTOTPGracePeriod(tt.graceDays)
+			if got != tt.want {
+				t.Errorf("InTOTPGracePeriod(%d) = %v, want %v", tt.graceDays, got, tt.want)
+			}
+		})
+	}
+}