mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-16 19:33:11 +02:00
feat(security): add TOTP-based multi-factor authentication with backend and UI support (#5417)
# Description of Changes This pull request introduces several improvements and new features across the authentication and admin data APIs, with a particular focus on multi-factor authentication (MFA) support and better handling of user settings. The changes include integrating MFA status into account data responses, masking sensitive user settings in admin views, and refactoring code to use more robust user creation methods. Additionally, there are minor code cleanups and consistency improvements. ### Multi-factor Authentication (MFA) Integration * Added `mfaEnabled` and `mfaRequired` fields to the `AccountData` response, populated using the new `MfaService`, to provide clients with MFA status information for users. [[1]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R430-R431) [[2]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R72) [[3]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L83-R86) [[4]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R98) [[5]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R574-R575) ### User Settings Handling and Security * Admin settings API now returns user settings for each user, with the `mfaSecret` field masked to protect sensitive information. This is achieved by fetching settings via `findByIdWithSettings` and copying/masking the relevant field before returning. [[1]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R252-R259) [[2]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L302-R322) [[3]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R378) [[4]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1R563) ### Refactoring and Code Consistency * Refactored user creation in `InitialSecuritySetup` to use the `SaveUserRequest` builder and `saveUserCore` for better maintainability and clarity, replacing direct calls to `saveUser`. [[1]](diffhunk://#diff-0c7960a6283a07c4905ac9785b2820b412574c9f86918ada30caba0356d34850R22) [[2]](diffhunk://#diff-0c7960a6283a07c4905ac9785b2820b412574c9f86918ada30caba0356d34850L116-R124) [[3]](diffhunk://#diff-0c7960a6283a07c4905ac9785b2820b412574c9f86918ada30caba0356d34850L130-R144) [[4]](diffhunk://#diff-0c7960a6283a07c4905ac9785b2820b412574c9f86918ada30caba0356d34850L140-R160) * Standardized checks for internal team membership by comparing with `TeamService.INTERNAL_TEAM_NAME` on the left side for consistency. [[1]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L267-R273) [[2]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L332-R351) [[3]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L421-R443) [[4]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L449-R471) [[5]](diffhunk://#diff-2ead183708656f2c6894b28457623820c83b1ed4b0814533caa0e8f0dd6fbcd1L462-R485) ### API and DTO Changes * Changed the login API to accept `UsernameAndPassMfa` instead of `UsernameAndPass`, paving the way for MFA code support in authentication requests. [[1]](diffhunk://#diff-9ca4f9246abe79368552264e2e18d7ed039e084c70c0794eb02cfd1b75fbd8a8L30-R41) [[2]](diffhunk://#diff-9ca4f9246abe79368552264e2e18d7ed039e084c70c0794eb02cfd1b75fbd8a8L61-R71) * Updated import statements and controller dependencies to include new DTOs and services related to MFA. [[1]](diffhunk://#diff-9ca4f9246abe79368552264e2e18d7ed039e084c70c0794eb02cfd1b75fbd8a8L14-R19) [[2]](diffhunk://#diff-9ca4f9246abe79368552264e2e18d7ed039e084c70c0794eb02cfd1b75fbd8a8R56-R57) These updates improve security, prepare the system for MFA rollout, and make admin and authentication APIs more robust and informative. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. --------- Co-authored-by: Copilot <[email protected]>
This commit is contained in:
@@ -556,6 +556,30 @@ webBrowserSettings = "Web Browser Setting"
|
||||
syncToBrowser = "Sync Account -> Browser"
|
||||
syncToAccount = "Sync Account <- Browser"
|
||||
|
||||
[account.mfa]
|
||||
title = "Two-factor authentication"
|
||||
setupFailed = "Unable to start two-factor setup. Please try again."
|
||||
codeRequired = "Enter the authentication code to continue."
|
||||
enabled = "Two-factor authentication enabled."
|
||||
enableFailed = "Unable to enable two-factor authentication. Check the code and try again."
|
||||
disabled = "Two-factor authentication disabled."
|
||||
disableFailed = "Unable to disable two-factor authentication. Check the code and try again."
|
||||
description = "Add an extra layer of security to your account."
|
||||
enableButton = "Enable two-factor authentication"
|
||||
disableButton = "Disable two-factor authentication"
|
||||
setupTitle = "Set up two-factor authentication"
|
||||
setupDescription = "Scan the QR code with your authenticator app, then enter the 6-digit code to confirm."
|
||||
manualKey = "Manual setup key"
|
||||
secretWarning = "Keep this key private. Anyone with access can generate valid authentication codes."
|
||||
codePlaceholder = "Enter 6-digit code"
|
||||
confirmEnable = "Enable"
|
||||
disableTitle = "Disable two-factor authentication"
|
||||
disableDescription = "Enter a valid authentication code to disable two-factor authentication."
|
||||
codeLabel = "Authentication code"
|
||||
confirmDisable = "Disable"
|
||||
ssoDescription = "Two-factor authentication is managed by your identity provider for single sign-on accounts."
|
||||
ssoManaged = "Configure MFA through your identity provider."
|
||||
|
||||
[adminUserSettings]
|
||||
title = "User Control Settings"
|
||||
header = "Admin User Control Settings"
|
||||
@@ -3736,6 +3760,14 @@ passwordChangedSuccess = "Password changed successfully! Please sign in with you
|
||||
credentialsUpdated = "Your credentials have been updated. Please sign in again."
|
||||
defaultCredentials = "Default Login Credentials"
|
||||
changePasswordWarning = "Please change your password after logging in for the first time"
|
||||
mfaRequired = "Two-factor code required"
|
||||
mfaCode = "Authentication Code"
|
||||
enterMfaCode = "Enter 6-digit code"
|
||||
mfaPromptTitle = "Two-factor authentication"
|
||||
mfaPromptBody = "Enter the authentication code from your authenticator app to continue."
|
||||
verifyingMfa = "Verifying..."
|
||||
verifyMfa = "Verify code"
|
||||
|
||||
|
||||
[login.slides.overview]
|
||||
alt = "Stirling PDF overview"
|
||||
@@ -5826,6 +5858,7 @@ usernameRequired = "Username and password are required"
|
||||
passwordTooShort = "Password must be at least 6 characters"
|
||||
success = "User created successfully"
|
||||
error = "Failed to create user"
|
||||
forceMFA = "Force MFA setup on next login"
|
||||
|
||||
[workspace.people.authType]
|
||||
password = "Password"
|
||||
@@ -5935,6 +5968,11 @@ slotsAvailable = "{{count}} user slot(s) available"
|
||||
noSlotsAvailable = "No slots available"
|
||||
currentUsage = "Currently using {{current}} of {{max}} user licences"
|
||||
|
||||
[workspace.people.mfa]
|
||||
adminDisableSuccess = "MFA disabled successfully for user"
|
||||
adminDisableError = "Failed to disable MFA for user"
|
||||
disableByAdmin = "Disable MFA"
|
||||
|
||||
[workspace.teams]
|
||||
title = "Teams"
|
||||
description = "Manage teams and organize workspace members"
|
||||
|
||||
Reference in New Issue
Block a user