Echo
6811f84a7c
- pm-auth::password: Argon2id (m=65536,t=3,p=1) hashing + verification - pm-auth::jwt: EdDSA/Ed25519 JWT issuance + validation (15-min TTL) - pm-auth::refresh: Opaque 256-bit refresh tokens, SHA-256 hashed, 1-hour sliding inactivity timeout, rotation on use, revocable - pm-auth::mfa_totp: TOTP setup/verify (HMAC-SHA1, 6-digit, 30s) with otpauth:// URI generation (Google Authenticator compatible) - pm-auth::mfa_webauthn: Stub (full implementation deferred) - pm-auth::rbac: Axum middleware for JWT auth + IP whitelist + admin/operator role enforcement + FromRequestParts extractor - pm-auth::session: Full login flow (password → MFA → tokens), token refresh, logout, force-logout - pm-web auth routes: POST /api/v1/auth/login|refresh|logout, GET /api/v1/auth/mfa/setup, POST /api/v1/auth/mfa/verify - IP whitelist middleware on all protected connection points - migrations/002_seed_admin.sql: Default admin account seed - Frontend: Auth store (Zustand with persistence), login page with MFA prompt, MFA setup page (stepper), JWT auto-refresh interceptor, route guards (RequireAuth), updated App.tsx routing - cargo check --workspace: zero errors, 1 minor warning Closes M2.
52 lines
1.5 KiB
Rust
52 lines
1.5 KiB
Rust
//! WebAuthn (FIDO2) MFA stub.
|
|
//!
|
|
//! Full implementation planned for M2 extension or M3.
|
|
//! WebAuthn requires stateful registration/authentication ceremonies
|
|
//! and a compatible client library (webauthn-rs).
|
|
//!
|
|
//! For M2, TOTP is the primary MFA method.
|
|
//! WebAuthn credentials are stored in the `users.webauthn_credential` JSONB
|
|
//! column and will be processed here when implemented.
|
|
|
|
use serde::{Deserialize, Serialize};
|
|
use thiserror::Error;
|
|
|
|
#[derive(Debug, Error)]
|
|
pub enum WebAuthnError {
|
|
#[error("WebAuthn not yet implemented")]
|
|
NotImplemented,
|
|
}
|
|
|
|
/// Placeholder for WebAuthn registration options.
|
|
#[derive(Debug, Serialize, Deserialize)]
|
|
pub struct RegistrationOptions {
|
|
pub message: String,
|
|
}
|
|
|
|
/// Begin WebAuthn registration ceremony (stub).
|
|
pub fn begin_registration(_username: &str) -> Result<RegistrationOptions, WebAuthnError> {
|
|
Err(WebAuthnError::NotImplemented)
|
|
}
|
|
|
|
/// Complete WebAuthn registration ceremony (stub).
|
|
pub fn complete_registration(
|
|
_username: &str,
|
|
_response: &serde_json::Value,
|
|
) -> Result<serde_json::Value, WebAuthnError> {
|
|
Err(WebAuthnError::NotImplemented)
|
|
}
|
|
|
|
/// Begin WebAuthn authentication ceremony (stub).
|
|
pub fn begin_authentication(_username: &str) -> Result<serde_json::Value, WebAuthnError> {
|
|
Err(WebAuthnError::NotImplemented)
|
|
}
|
|
|
|
/// Verify WebAuthn authentication response (stub).
|
|
pub fn verify_authentication(
|
|
_username: &str,
|
|
_credential: &serde_json::Value,
|
|
_response: &serde_json::Value,
|
|
) -> Result<bool, WebAuthnError> {
|
|
Err(WebAuthnError::NotImplemented)
|
|
}
|