Skip to content

feat(totp): expose TOTP routes through the adapter#47

Merged
Bccorb merged 1 commit into
devfrom
feat/totp-mfa-routes
Jul 7, 2026
Merged

feat(totp): expose TOTP routes through the adapter#47
Bccorb merged 1 commit into
devfrom
feat/totp-mfa-routes

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds the TOTP surface to the @seamless-auth/express adapter so frontends (e.g. @seamless-auth/react) can drive TOTP enrollment, management, and TOTP-based step-up. The upstream auth API already implements these endpoints; the adapter simply didn't expose them (it whitelists routes rather than blanket-proxying).

Scope was deliberately limited to what the API supports today: enrollment, disable, status, and TOTP step-up (verify-mfa). TOTP-as-a-login-second-factor is not included, because the auth API does not currently gate login on TOTP, so /totp/verify-login has no trigger.

Routes added (@seamless-auth/express)

All proxy the caller's access session upstream (same pattern as /step-up/*), update server-side state only, and mint no new session cookies:

  • GET /auth/totp/status
  • POST /auth/totp/enroll/start
  • POST /auth/totp/enroll/verify
  • POST /auth/totp/disable
  • POST /auth/totp/verify-mfa

Core change + casing robustness (@seamless-auth/core)

  • Adds access-cookie requirements for the TOTP paths.
  • Makes COOKIE_REQUIREMENTS path matching case-insensitive. Express route matching is case-insensitive by default, so a client path whose casing differed from the mounted route (e.g. /webauthn/... vs the /webAuthn/... requirement key) previously missed the case-sensitive lookup, silently skipped cookie loading, and broke the request downstream. This removes a latent foot-gun (and unblocks any future path-casing normalization).

Tests

  • Core: TOTP requirement coverage + a case-insensitive matching regression test.
  • Express: integration tests for each proxied TOTP route, plus an unauthenticated-rejection check.
  • Full suite: core 42 passing, express 30 passing. npm run build succeeds.

Includes a minor changeset for both packages.

Base branch set to dev (where the current unreleased changesets live) — retarget to main if that's the intended flow.

Mount the TOTP surface in @seamless-auth/express so frontends can drive TOTP
enrollment, management, and TOTP-based step-up verification:

- GET  /auth/totp/status
- POST /auth/totp/enroll/start
- POST /auth/totp/enroll/verify
- POST /auth/totp/disable
- POST /auth/totp/verify-mfa

These proxy the caller's access session upstream, matching the step-up route
pattern. They update server-side state only and mint no new session cookies.
TOTP as a login second factor is intentionally out of scope: the auth API does
not gate login on TOTP today, so /totp/verify-login has no trigger yet.

@seamless-auth/core gains the matching access-cookie requirements and now
matches cookie requirements case-insensitively. Express route matching is
case-insensitive by default, so a client path whose casing differed from the
mounted route (e.g. /webauthn vs /webAuthn) previously failed the case-sensitive
requirement lookup, silently skipped cookie loading, and broke the request. The
lookup is normalized to lower case on both sides.

Adds core unit tests for the TOTP requirements and case-insensitive matching,
and an express integration test covering each proxied TOTP route.
@Bccorb Bccorb force-pushed the feat/totp-mfa-routes branch from e61c422 to bef3fdc Compare July 7, 2026 01:20
@Bccorb Bccorb merged commit 5388ade into dev Jul 7, 2026
2 checks passed
@Bccorb Bccorb deleted the feat/totp-mfa-routes branch July 7, 2026 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant