-
Add TOTP enrollment to web UI
kyle released this
2026-03-17 00:39:45 +00:00 | 4 commits to master since this release- Profile page TOTP section with enrollment flow:
password re-auth → QR code + manual entry → 6-digit confirm - Server-side QR code generation (go-qrcode, data: URI PNG)
- Admin "Remove TOTP" button on account detail page
- Enrollment nonces: sync.Map with 5-minute TTL, single-use
- Template fragments: totp_section.html, totp_enroll_qr.html
- Handler: handlers_totp.go (enroll start, confirm, admin remove)
Security: Password re-auth before secret generation (SEC-01).
Lockout checked before Argon2. CSRF on all endpoints. Single-use
enrollment nonces with expiry. TOTP counter replay prevention
(CRIT-01). Self-removal not permitted (admin only).Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com
Downloads
- Profile page TOTP section with enrollment flow: