feat(totp): expose TOTP routes through the adapter#47
Merged
Conversation
Mount the TOTP surface in @seamless-auth/express so frontends can drive TOTP enrollment, management, and TOTP-based step-up verification: - GET /auth/totp/status - POST /auth/totp/enroll/start - POST /auth/totp/enroll/verify - POST /auth/totp/disable - POST /auth/totp/verify-mfa These proxy the caller's access session upstream, matching the step-up route pattern. They update server-side state only and mint no new session cookies. TOTP as a login second factor is intentionally out of scope: the auth API does not gate login on TOTP today, so /totp/verify-login has no trigger yet. @seamless-auth/core gains the matching access-cookie requirements and now matches cookie requirements case-insensitively. Express route matching is case-insensitive by default, so a client path whose casing differed from the mounted route (e.g. /webauthn vs /webAuthn) previously failed the case-sensitive requirement lookup, silently skipped cookie loading, and broke the request. The lookup is normalized to lower case on both sides. Adds core unit tests for the TOTP requirements and case-insensitive matching, and an express integration test covering each proxied TOTP route.
e61c422 to
bef3fdc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the TOTP surface to the
@seamless-auth/expressadapter so frontends (e.g.@seamless-auth/react) can drive TOTP enrollment, management, and TOTP-based step-up. The upstream auth API already implements these endpoints; the adapter simply didn't expose them (it whitelists routes rather than blanket-proxying).Scope was deliberately limited to what the API supports today: enrollment, disable, status, and TOTP step-up (
verify-mfa). TOTP-as-a-login-second-factor is not included, because the auth API does not currently gate login on TOTP, so/totp/verify-loginhas no trigger.Routes added (
@seamless-auth/express)All proxy the caller's access session upstream (same pattern as
/step-up/*), update server-side state only, and mint no new session cookies:GET /auth/totp/statusPOST /auth/totp/enroll/startPOST /auth/totp/enroll/verifyPOST /auth/totp/disablePOST /auth/totp/verify-mfaCore change + casing robustness (
@seamless-auth/core)COOKIE_REQUIREMENTSpath matching case-insensitive. Express route matching is case-insensitive by default, so a client path whose casing differed from the mounted route (e.g./webauthn/...vs the/webAuthn/...requirement key) previously missed the case-sensitive lookup, silently skipped cookie loading, and broke the request downstream. This removes a latent foot-gun (and unblocks any future path-casing normalization).Tests
npm run buildsucceeds.Includes a
minorchangeset for both packages.