feat: add preflight MFA endpoint and service method for enhanced authentication flow

- Introduced a new preflight endpoint in AuthController to check for MFA requirements without creating a session.
- Implemented preflightLocalMfa method in AuthService to handle MFA challenge logic, including brute force protection and user validation.
- Updated the login Vue component to utilize the new preflight endpoint for improved user experience during authentication.

Author: tacxou

apps/api/src/core/auth/auth.controller.ts

@@ -176,6 +176,30 @@ export class AuthController extends AbstractController {
     });
   }
 
+  @Post('local/preflight')
+  @ApiOperation({ summary: 'Préflight MFA (ne crée pas de session)' })
+  public async preflightLocal(
+    @Res() res: Response,
+    @Req() req: Request,
+    @Body() body: LocalLoginBody,
+  ): Promise<Response> {
+    const payload = body?.body && typeof body.body === 'object' ? body.body : body;
+    const ip = resolveClientIp(req) ?? null;
+    const username = `${payload?.username || ''}`.trim();
+    const password = `${payload?.password || ''}`;
+
+    const preflight = await this.service.preflightLocalMfa(username, password, ip ?? undefined);
+    if (!preflight?.requires2fa) {
+      return res.status(HttpStatus.OK).json({ requires2fa: false });
+    }
+
+    return res.status(HttpStatus.OK).json({
+      requires2fa: true,
+      challengeToken: preflight.challengeToken,
+      method: 'totp',
+    });
+  }
+
   @Post('local/2fa/verify')
   @ApiOperation({ summary: 'Validation du code TOTP pour finaliser la connexion' })
   public async verifyLocal2fa(

apps/api/src/core/auth/auth.service.ts

@@ -182,6 +182,48 @@ export class AuthService extends AbstractService implements OnModuleInit {
     }
   }
 
+  public async preflightLocalMfa(
+    username: string,
+    password: string,
+    clientIp?: string,
+  ): Promise<{ requires2fa: true; challengeToken: string } | { requires2fa: false }> {
+    const ip = this.normalizeClientIp(clientIp);
+    const normalizedUsername = `${username || ''}`.trim();
+    const normalizedPassword = `${password || ''}`;
+    if (!normalizedUsername || !normalizedPassword.trim()) return { requires2fa: false };
+
+    try {
+      const block = await this.getLocalBruteforceBlock({ username: normalizedUsername, ip });
+      if (block.blocked) {
+        // Préflight choisi en 200 générique: ne pas révéler le blocage, mais ne pas offrir de contournement.
+        await this.registerLocalBruteforceFailure({ username: normalizedUsername, ip });
+        return { requires2fa: false };
+      }
+
+      const user = await this.agentsService.findOne<Agents>({ username: normalizedUsername });
+      if (!user || !(await argon2Verify(user.password, normalizedPassword))) {
+        await this.registerLocalBruteforceFailure({ username: normalizedUsername, ip });
+        return { requires2fa: false };
+      }
+
+      if (user?.state?.current !== AgentState.ACTIVE) return { requires2fa: false };
+      if (!this.isClientIpAllowed(user?.security?.allowedNetworks, ip)) return { requires2fa: false };
+
+      // Credentials valides: reset du compteur pour éviter de pénaliser un utilisateur légitime.
+      await this.clearLocalBruteforceState({ username: normalizedUsername, ip });
+
+      if (!this.isTotpEnabledForUser(user)) return { requires2fa: false };
+      const challengeToken = await this.createMfaChallenge(user);
+      return { requires2fa: true, challengeToken };
+    } catch (e) {
+      this.logger.warn(
+        `[preflight-mfa] failed username=${normalizedUsername} ip=${ip || 'n/a'}`,
+        e instanceof Error ? e.stack : undefined,
+      );
+      return { requires2fa: false };
+    }
+  }
+
   public async getLocalBruteforceBlock(params: {
     username: string;
     ip: string | null;

apps/web/src/pages/login.vue

@@ -114,6 +114,15 @@ export default defineNuxtComponent({
     isRecord(value: unknown): value is Record<string, unknown> {
       return Boolean(value) && typeof value === 'object' && !Array.isArray(value)
     },
+    getAuthUser(auth: unknown): Record<string, unknown> | null {
+      if (!this.isRecord(auth)) return null
+      const user = auth['user']
+      if (this.isRecord(user)) return user
+      if (this.isRecord(user) && this.isRecord((user as Record<string, unknown>)['value'])) {
+        return (user as Record<string, unknown>)['value'] as Record<string, unknown>
+      }
+      return null
+    },
     getErrorStatus(error: unknown): number | null {
       const anyErr = this.isRecord(error) ? error : {}
       const response = this.isRecord(anyErr.response) ? anyErr.response : {}
@@ -245,8 +254,7 @@ export default defineNuxtComponent({
           },
         })
         await auth.fetchUser()
-        const authAny = auth as unknown as { user?: { value?: unknown } | unknown }
-        const authUser = (this.isRecord(authAny.user) ? authAny.user : null) || (this.isRecord(authAny.user?.value) ? authAny.user.value : null)
+        const authUser = this.getAuthUser(auth)
         const responsePayload = this.extractPayload(response)
         const uri = this.getPostLoginRedirect((this.isRecord(authUser) ? (authUser.baseURL as string | undefined) : undefined) || (responsePayload.uri as string | undefined))
         this.showTotpDialog = false
@@ -272,7 +280,7 @@ export default defineNuxtComponent({
         const auth = useAuth()
         let response: unknown = null
         if (!this.requires2fa) {
-          const preAuthResponse = await this.$http.post('/core/auth/local', {
+          const preAuthResponse = await this.$http.post('/core/auth/local/preflight', {
             body: {
               username: this.formData.username,
               password: this.formData.password,
@@ -302,8 +310,7 @@ export default defineNuxtComponent({
           return
         }
         await auth.fetchUser()
-        const authAny = auth as unknown as { user?: { value?: unknown } | unknown }
-        const authUser = (this.isRecord(authAny.user) ? authAny.user : null) || (this.isRecord(authAny.user?.value) ? authAny.user.value : null)
+        const authUser = this.getAuthUser(auth)
         const responsePayload = this.extractPayload(response)
         const uri = this.getPostLoginRedirect((this.isRecord(authUser) ? (authUser.baseURL as string | undefined) : undefined) || (responsePayload.uri as string | undefined))
         await this.$router.push(uri)