Feat/2fa

[nicolasrouanne]

Description

Closes #7003
Implements 2FA with TOTP.

Warning

This is a draft PR, with only partial changes, made as a mean of discussion about #7003 (it's easier to reason about real code)

Behaviour

• a totpSecret is stored for each user
• use otplib to create a QR code and to validate an otp against an totpSecret (great demo website by otplib)
• OTP is asked upon each login attempt

Source

Inspired by:

• RFC 6238
• Cal.com's implementation of 2FA, namely
  • raising a 401 when missing OTP and 2FA is enabled, with a specific error code
  • catching the 401 in the frontend and displaying the OTP input

Remaining

• encrypt totpSecret at rest using a symetric algorithm

[nicolasrouanne]

I added the twoFactorMethods relation in UserWorkspace, but for some reason, typeorm can't seem to find the association

/Users/nicolasrouanne/dev/twenty/src/metadata-builder/EntityMetadataBuilder.ts:1111
        entityMetadata.relations.forEach((relation) => {
                                 ^
TypeORMError: Entity metadata for UserWorkspace#twoFactorMethods was not found. Check if you specified a correct entity object and if it's connected in the connection options.
    at /Users/nicolasrouanne/dev/twenty/src/metadata-builder/EntityMetadataBuilder.ts:1121:23

[nicolasrouanne]

After a quick chat with @FelixMalfait on Discord, it's probably a module-wiring issue. We are going to add the TwoFactorModule to AuthModule, to ensure it's properly loaded

[nicolasrouanne]

Actually fixed by @FelixMalfait on 59f84ba 🙏🏻

[FelixMalfait]

Good first step! Thank you!!!

[greptile-apps]

PR Summary

This PR introduces the initial database and service layer for Two-Factor Authentication (2FA) using TOTP (Time-based One-Time Password).

• Missing critical totpSecret column in TwoFactorMethod entity and migration for storing TOTP secrets
• TwoFactorMethodService needs additional methods for TOTP validation and secret generation using the otplib package
• Consider adding status/type fields to TwoFactorMethod entity to track enabled/disabled state and authentication method type
• Security concern: Need to implement encryption for TOTP secrets at rest as noted in PR description
• UserWorkspace to TwoFactorMethod relationship allows multiple 2FA methods per user, but business logic for handling multiple methods isn't implemented yet

_{💡 (3/5) Reply to the bot's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!}

_{8 file(s) reviewed, 8 comment(s)
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

logic: findAll() without any filters could expose all 2FA methods. Consider adding workspace-level filtering for security.

[nicolasrouanne]

This whole service file was added as a proof of concept. It might be nice to clean it a bit. Can do it this afternoon.

[greptile-apps]

logic: No verification that the caller has permission to remove the 2FA method. Add authorization check.

[greptile-apps]

logic: missing @field decorator for GraphQL exposure of twoFactorMethods - this field won't be queryable via GraphQL

[greptile-apps]

style: consider adding cascade option to automatically handle deletion of associated TwoFactorMethod records

[charlesBochet]

I'm a bit confused, this table does provide any information? no type, token, etc. why is it useful then?

[nicolasrouanne]

It's because this PR is heavily WIP, nothing is really done. But:

• the token will be derived from the Primary Key of this table
• we only have one 2FA type which is TOTP, that's why we don't store it

Does it make sense?

[charlesBochet]

general about the naming: shouldn't we use two-factor-authentication instead of two-factor-method which seems more standard?

• for data model: two-factor-method makes sense as a shortcut for two-factor-authentication-method
• but for the module I would name it two-factor-authentication

[charlesBochet]

this shouldn't exist IMO:

• if this endpoint is meant to be part of the "engine api" long term (usable by business modules), I don't think we should authorize such a getter (findAll)
• if this endpoint is meant to be used within the engine, it's not useful as we can just call the ORM direclty and there is no additional business logic to wrap

[charlesBochet]

same

[charlesBochet]

same

[nicolasrouanne]

@charlesBochet I see your review and I'm sorry about a few things:

• this PR wasn't really meant for review, apart from the general direction of creating a TwoFactorMethod entity and link it to the UserWorkspace
• I haven't pushed it through because I was blocked by a module-wiring issue, and @FelixMalfait fixed it in 59f84ba
• I added some dummy generated service methods and will only leave the relevant ones: create; Maybe findOne is relevant, or you prefer calling the ORM directly?

Now that I'm unblocked, I can add unit tests, auth logic in the resolvers, and remove all the cruft before merging. Frontend can be done in a separate task, but this is probably too raw right now to merge as is.

[FelixMalfait]

Sorry @nicolasrouanne I think there was a miscommunication between me and @charlesBochet - agree with your points and keep the discussed approach which is to do partial merges along the way

[charlesBochet]

Ok, let's merge it, my commentaries are non blocking. More than happy with the iterative paths as long as the comments are addressed or discussed in upcoming PRs

[github-actions]

	Fails
🚫	node failed.

Log

�[31mError: �[39m SyntaxError: Unexpected token C in JSON at position 0
    at JSON.parse (<anonymous>)
�[90m    at parseJSONFromBytes (node:internal/deps/undici/undici:5584:19)�[39m
�[90m    at successSteps (node:internal/deps/undici/undici:5555:27)�[39m
�[90m    at fullyReadBody (node:internal/deps/undici/undici:1665:9)�[39m
�[90m    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)�[39m
�[90m    at async specConsumeBody (node:internal/deps/undici/undici:5564:7)�[39m
danger-results://tmp/danger-results-717cd744.json

Generated by 🚫 dangerJS against 0d6291d