feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Three verification methods (TOTP authenticator, email code, backup codes), trusted device management with 30-day expiry, role-based enforcement for super_admin and org_admin, admin reset capability, and full test coverage (46 tests). Modifies login flow to support MFA challenge/response with temporary session tokens stored in cache. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 20:45:55 +02:00
parent df68aa8aef
commit 948687f27e
32 changed files with 2563 additions and 5 deletions
--- a/api/app/Enums/EmailTemplateType.php
+++ b/api/app/Enums/EmailTemplateType.php
@@ -12,6 +12,7 @@ enum EmailTemplateType: string
    case REGISTRATION_APPROVED = 'registration_approved';
    case REGISTRATION_REJECTED = 'registration_rejected';
    case SHIFT_ASSIGNMENT = 'shift_assignment';
+    case MFA_CODE = 'mfa_code';

    public function label(): string
    {
@@ -22,6 +23,7 @@ enum EmailTemplateType: string
            self::REGISTRATION_APPROVED => 'Registratie goedgekeurd',
            self::REGISTRATION_REJECTED => 'Registratie afgewezen',
            self::SHIFT_ASSIGNMENT => 'Diensttoewijzing',
+            self::MFA_CODE => 'MFA verificatiecode',
        };
    }

@@ -70,6 +72,12 @@ enum EmailTemplateType: string
                'body_text' => 'Je bent ingedeeld voor de volgende dienst: {shift_title} op {shift_date} van {shift_start} tot {shift_end} bij {section_name}. Log in op het portaal voor meer details.',
                'button_text' => 'Bekijk je diensten',
            ],
+            self::MFA_CODE => [
+                'subject' => 'Je verificatiecode voor Crewli',
+                'heading' => 'Verificatiecode',
+                'body_text' => 'Je verificatiecode is: {code}. Deze code is {expiry_minutes} minuten geldig. Als je dit niet hebt aangevraagd, wijzig dan direct je wachtwoord.',
+                'button_text' => null,
+            ],
        };
    }
 }
--- a/api/app/Enums/MfaMethod.php
+++ b/api/app/Enums/MfaMethod.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Enums;
+
+enum MfaMethod: string
+{
+    case TOTP = 'totp';
+    case EMAIL = 'email';
+    case BACKUP_CODE = 'backup_code';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::TOTP => 'Authenticator app',
+            self::EMAIL => 'E-mailcode',
+            self::BACKUP_CODE => 'Backup code',
+        };
+    }
+}