feat(2fa): implement google authenticator 2fa

- add otplib and qrcode dependencies - update user model with 2fa fields - add twoFactorCode to validation schema - implement api routes for setup, enable, disable - add 2fa verification in auth flow - add 2fa management ui in settings - implement 2fa challenge in login page
author: schererleander <leander@schererleander.de> 2025-12-26 16:24:36 +0100
committer: schererleander <leander@schererleander.de> 2025-12-26 16:24:36 +0100
commit: 67527c2f52e76725ad78719d4b0307e702bd0da1 (patch)
tree: c22ee317ce5afaa796593f11a3a2d3dff2d5ca66 /src/lib/auth.ts
parent: ca731fb137465408a3c1729c13d785f7857e67e0 (diff)
1 files changed, 19 insertions, 2 deletions
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 0ed9d12..ad47d5f 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,6 +1,7 @@
 import { type NextAuthOptions } from "next-auth"
 import CredentialsProvider from "next-auth/providers/credentials"
 import bcrypt from "bcryptjs"
+import { authenticator } from "otplib"
 import dbConnect from "./mongodb"
 import User from "@/model/User"
 import { loginSchema } from "./validation"
@@ -11,7 +12,8 @@ export const authOptions: NextAuthOptions = {
       name: "credentials",
       credentials: {
         email: { label: "Email", type: "email" },
-        password: { label: "Password", type: "password" }
+        password: { label: "Password", type: "password" },
+        twoFactorCode: { label: "2FA Code", type: "text" }
       },
       async authorize(credentials) {
         if (!credentials?.email || !credentials?.password) return null
@@ -19,7 +21,7 @@ export const authOptions: NextAuthOptions = {
         const result = loginSchema.safeParse(credentials)
         if (!result.success) return null
 
-        const { email, password } = result.data
+        const { email, password, twoFactorCode } = result.data
 
         try {
             await dbConnect()
@@ -30,6 +32,17 @@ export const authOptions: NextAuthOptions = {
             const isPasswordValid = await bcrypt.compare(password, user.password)
             if (!isPasswordValid) return null
 
+            if (user.twoFactorEnabled) {
+              if (!twoFactorCode) {
+                throw new Error("2FA_REQUIRED")
+              }
+
+              const isValid = authenticator.check(twoFactorCode, user.twoFactorSecret)
+              if (!isValid) {
+                throw new Error("Invalid 2FA Code")
+              }
+            }
+
             return {
                 id: user._id.toString(),
                 email: user.email,
@@ -38,6 +51,10 @@ export const authOptions: NextAuthOptions = {
             }
         } catch (error) {
             console.error("Auth error:", error)
+            // Rethrow specific 2FA errors so they reach the client
+            if (error instanceof Error && (error.message === "2FA_REQUIRED" || error.message === "Invalid 2FA Code")) {
+              throw error
+            }
             return null
         }
       }
author	schererleander <leander@schererleander.de>	2025-12-26 16:24:36 +0100
committer	schererleander <leander@schererleander.de>	2025-12-26 16:24:36 +0100
commit	67527c2f52e76725ad78719d4b0307e702bd0da1 (patch)
tree	c22ee317ce5afaa796593f11a3a2d3dff2d5ca66 /src/lib/auth.ts
parent	ca731fb137465408a3c1729c13d785f7857e67e0 (diff)