feat: implement MFA enhancements and agent authentication improvements

- Added MFA (Multi-Factor Authentication) support by introducing MfaGuard and related decorators to enforce MFA requirements on specific routes.
- Enhanced the authentication process to include TOTP (Time-based One-Time Password) verification, allowing for a more secure login experience.
- Updated the AgentsController to handle MFA challenges and verification, ensuring that only users who pass MFA can access sensitive operations.
- Refactored the AuthService to manage MFA challenges and verification logic, improving the overall security of the authentication flow.
- Implemented additional logging for MFA-related actions to enhance audit capabilities and track user authentication attempts more effectively.

Author: tacxou

apps/api/src/_common/guards/mfa.guard.ts

@@ -1,10 +1,14 @@
 import { CanActivate, ExecutionContext, ForbiddenException, Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
 import { Reflector } from '@nestjs/core';
 import { META_REQUIRE_MFA } from '~/_common/decorators/require-mfa.decorator';
 
 @Injectable()
 export class MfaGuard implements CanActivate {
-  public constructor(private readonly reflector: Reflector) {}
+  public constructor(
+    private readonly reflector: Reflector,
+    private readonly config: ConfigService,
+  ) {}
 
   public canActivate(context: ExecutionContext): boolean {
     const requiresMfa = this.reflector.getAllAndOverride<boolean>(META_REQUIRE_MFA, [
@@ -13,8 +17,16 @@ export class MfaGuard implements CanActivate {
     ]);
     if (!requiresMfa) return true;
 
-    const request = context.switchToHttp().getRequest<{ user?: { mfaVerified?: boolean } }>();
-    if (request?.user?.mfaVerified) return true;
-    throw new ForbiddenException('MFA required');
+    const request = context.switchToHttp().getRequest<{ user?: { mfaVerified?: boolean; mfaVerifiedAt?: number | null } }>();
+    if (!request?.user?.mfaVerified) throw new ForbiddenException('MFA required');
+
+    const maxAgeSeconds = this.config.get<number>('application.mfaStepUpMaxAgeSeconds', 5 * 60);
+    const maxAgeMs = Math.max(0, maxAgeSeconds) * 1000;
+    if (maxAgeMs <= 0) return true;
+
+    const verifiedAt = typeof request.user.mfaVerifiedAt === 'number' ? request.user.mfaVerifiedAt : null;
+    if (!verifiedAt) throw new ForbiddenException('MFA required');
+    if (Date.now() - verifiedAt > maxAgeMs) throw new ForbiddenException('MFA required');
+    return true;
   }
 }

apps/api/src/config.ts

@@ -220,6 +220,7 @@ export interface ConfigInstance {
       key: string;
       cert: string;
     }
+    mfaStepUpMaxAgeSeconds: number
   }
   helmet: HelmetOptions
   mongoose: {
@@ -319,6 +320,7 @@ export default (): ConfigInstance => ({
       key: process.env['SESAME_HTTPS_PATH_KEY'] || '',
       cert: process.env['SESAME_HTTPS_PATH_CERT'] || '',
     },
+    mfaStepUpMaxAgeSeconds: parseInt(process.env['SESAME_MFA_STEPUP_MAX_AGE_SECONDS'] || `${5 * 60}`, 10),
   },
   helmet: {
     contentSecurityPolicy: {

apps/api/src/core/agents/agents.controller.ts

@@ -378,7 +378,11 @@ export class AgentsController extends AbstractController {
   }
 
   @Post('me/mfa/totp/disable')
-  public async disableTotpSelf(@ReqIdentity() identity: AgentType, @Res() res: Response): Promise<Response> {
+  public async disableTotpSelf(
+    @ReqIdentity() identity: AgentType,
+    @Body() body: { otpCode?: string },
+    @Res() res: Response,
+  ): Promise<Response> {
     const currentAgent = await this._service.findById<Agents>(identity._id as Types.ObjectId);
     const currentSecurity =
       currentAgent?.security && typeof currentAgent.security === 'object'
@@ -387,6 +391,26 @@ export class AgentsController extends AbstractController {
           : { ...(currentAgent.security as unknown as Record<string, unknown>) }
         : {};
 
+    const currentOtpKey = `${(currentSecurity as any)?.otpKey || ''}`.trim().replace(/\s+/g, '').toUpperCase();
+    if (!currentOtpKey) {
+      throw new BadRequestException('MFA TOTP non activé');
+    }
+
+    const otpCode = `${body?.otpCode || ''}`.trim();
+    if (!otpCode) {
+      throw new BadRequestException('Code OTP requis');
+    }
+
+    const isValid = speakeasy.totp.verify({
+      secret: currentOtpKey,
+      token: otpCode,
+      encoding: 'base32',
+      window: 1,
+    });
+    if (!isValid) {
+      throw new BadRequestException('Code OTP invalide');
+    }
+
     const data = await this._service.update(
       identity._id as Types.ObjectId,
       {

apps/api/src/core/auth/_strategies/jwt.strategy.ts

@@ -28,7 +28,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
   // noinspection JSUnusedGlobalSymbols
   public async validate(
     _: Request,
-    payload: JwtPayload & { identity: AgentType; mfaVerified?: boolean },
+    payload: JwtPayload & { identity: AgentType; mfaVerified?: boolean; mfaVerifiedAt?: number | null },
     done: VerifiedCallback,
   ): Promise<void> {
     this.logger.verbose(`Atempt to authenticate with JTI: <${payload.jti}>`);
@@ -51,6 +51,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
       ...payload?.identity,
       roles,
       mfaVerified: !!payload?.mfaVerified,
+      mfaVerifiedAt: typeof payload?.mfaVerifiedAt === 'number' ? payload.mfaVerifiedAt : null,
     });
   }
 }

apps/api/src/core/auth/auth.service.ts

@@ -385,8 +385,9 @@ export class AuthService extends AbstractService implements OnModuleInit {
     const normalizedIdentity = typeof identity?.toObject === 'function' ? identity.toObject() : identity;
     const jwtid = `${identity._id}_${randomBytes(16).toString('hex')}`;
     const mfaVerified = !!options?.mfaVerified;
+    const mfaVerifiedAt = mfaVerified ? Date.now() : null;
     const access_token = this.jwtService.sign(
-      { identity: pick(normalizedIdentity, ['_id', 'username', 'email', 'token', 'roles']), scopes, mfaVerified },
+      { identity: pick(normalizedIdentity, ['_id', 'username', 'email', 'token', 'roles']), scopes, mfaVerified, mfaVerifiedAt },
       {
         expiresIn: this.ACCESS_TOKEN_EXPIRES_IN,
         jwtid,
@@ -405,6 +406,7 @@ export class AuthService extends AbstractService implements OnModuleInit {
         JSON.stringify({
           identityId: identity._id,
           mfaVerified,
+          mfaVerifiedAt,
         }),
       );
     }
@@ -419,6 +421,7 @@ export class AuthService extends AbstractService implements OnModuleInit {
         identity: userIdentity.toJSON(),
         refresh_token,
         mfaVerified,
+        mfaVerifiedAt,
       }),
       'EX',
       this.ACCESS_TOKEN_EXPIRES_IN,

apps/web/nuxt.config.ts

@@ -130,13 +130,8 @@ export default defineNuxtConfig({
           logout: { url: `/api/core/auth/logout`, method: 'post' },
           user: { url: `/api/core/auth/session`, method: 'get' },
         },
-        redirect: {
-          logout: '/login',
-          login: '/',
-        },
-        tokenType: 'Bearer',
         autoRefresh: true,
-      },
+      } as any,
     },
     stores: {
       pinia: {

apps/web/src/pages/profile.vue

@@ -354,7 +354,31 @@ export default defineNuxtComponent({
     async disableTotp() {
       this.pendingTotpDisable = true
       try {
-        await this.$http.post('/core/agents/me/mfa/totp/disable')
+        const otpCode = await new Promise<string>((resolve, reject) => {
+          this.$q
+            .dialog({
+              title: 'Désactiver le MFA',
+              message: 'Entrez votre code TOTP à 6 chiffres pour confirmer.',
+              prompt: {
+                model: '',
+                type: 'text',
+                isValid: (val: string) => /^\d{6}$/.test(String(val || '').trim()),
+              },
+              cancel: true,
+              persistent: true,
+              color: 'warning',
+              ok: { label: 'Désactiver', color: 'warning' },
+            })
+            .onOk((val: string) => resolve(val))
+            .onCancel(() => reject(new Error('Disable TOTP cancelled')))
+            .onDismiss(() => reject(new Error('Disable TOTP dismissed')))
+        })
+
+        await this.$http.post('/core/agents/me/mfa/totp/disable', {
+          body: {
+            otpCode: String(otpCode || '').trim(),
+          },
+        })
         this.isTotpEnabled = false
         this.cancelTotpSetup()
         this.$q.notify({

apps/web/src/plugins/http-mfa.client.ts

@@ -20,6 +20,14 @@ export default defineNuxtPlugin((nuxtApp) => {
 
   let inFlightStepUp: Promise<void> | null = null
 
+  const isSettingsContext = (): boolean => {
+    try {
+      const r = useRoute()
+      return typeof r?.fullPath === 'string' && r.fullPath.startsWith('/settings')
+    } catch {
+      return false
+    }
+  }
   const ensureStepUp = async () => {
     if (inFlightStepUp) return await inFlightStepUp
     if (!rawHttpRef) throw new Error('HTTP client not ready')
@@ -121,12 +129,20 @@ export default defineNuxtPlugin((nuxtApp) => {
   const wrap = (fn: any, kind: 'read' | 'write') => {
     if (typeof fn !== 'function') return fn
     return async (...args: any[]) => {
+      const url = args?.[0]
+      // Never intercept the step-up endpoint itself.
+      if (typeof url === 'string' && url.startsWith('/core/auth/mfa/step-up')) {
+        return await fn(...args)
+      }
+
       try {
         return await fn(...args)
       } catch (error: any) {
         if (!isMfaRequiredError(error)) throw error
         // Only step-up for explicit "save" / write intents.
         if (kind !== 'write') throw error
+        // Only prompt for step-up on sensitive settings pages.
+        if (!isSettingsContext()) throw error
         await ensureStepUp()
         return await fn(...args)
       }