feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Three verification methods (TOTP authenticator, email code, backup codes), trusted device management with 30-day expiry, role-based enforcement for super_admin and org_admin, admin reset capability, and full test coverage (46 tests). Modifies login flow to support MFA challenge/response with temporary session tokens stored in cache. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 20:45:55 +02:00
parent df68aa8aef
commit 948687f27e
32 changed files with 2563 additions and 5 deletions
--- a/api/app/Http/Requests/Api/V1/Auth/MfaConfirmRequest.php
+++ b/api/app/Http/Requests/Api/V1/Auth/MfaConfirmRequest.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\Auth;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+final class MfaConfirmRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    public function rules(): array
+    {
+        return [
+            'code' => ['required', 'string'],
+        ];
+    }
+}
--- a/api/app/Http/Requests/Api/V1/Auth/MfaDisableRequest.php
+++ b/api/app/Http/Requests/Api/V1/Auth/MfaDisableRequest.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\Auth;
+
+use App\Enums\MfaMethod;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class MfaDisableRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    public function rules(): array
+    {
+        return [
+            'code' => ['required', 'string'],
+            'method' => ['required', 'string', Rule::in([
+                MfaMethod::TOTP->value,
+                MfaMethod::BACKUP_CODE->value,
+            ])],
+        ];
+    }
+}
--- a/api/app/Http/Requests/Api/V1/Auth/MfaEmailSendRequest.php
+++ b/api/app/Http/Requests/Api/V1/Auth/MfaEmailSendRequest.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\Auth;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+final class MfaEmailSendRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    public function rules(): array
+    {
+        return [
+            'mfa_session_token' => ['required', 'string'],
+        ];
+    }
+}
--- a/api/app/Http/Requests/Api/V1/Auth/MfaVerifyRequest.php
+++ b/api/app/Http/Requests/Api/V1/Auth/MfaVerifyRequest.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Requests\Api\V1\Auth;
+
+use App\Enums\MfaMethod;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+
+final class MfaVerifyRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    public function rules(): array
+    {
+        return [
+            'mfa_session_token' => ['required', 'string'],
+            'code' => ['required', 'string'],
+            'method' => ['required', 'string', Rule::in([
+                MfaMethod::TOTP->value,
+                MfaMethod::EMAIL->value,
+                MfaMethod::BACKUP_CODE->value,
+            ])],
+            'trust_device' => ['sometimes', 'boolean'],
+            'device_fingerprint' => ['required_if:trust_device,true', 'nullable', 'string'],
+            'device_name' => ['nullable', 'string', 'max:255'],
+        ];
+    }
+}