Kyle Isom
37afc68287
Add TOTP enrollment to web UI
- Profile page TOTP section with enrollment flow:
password re-auth → QR code + manual entry → 6-digit confirm
- Server-side QR code generation (go-qrcode, data: URI PNG)
- Admin "Remove TOTP" button on account detail page
- Enrollment nonces: sync.Map with 5-minute TTL, single-use
- Template fragments: totp_section.html, totp_enroll_qr.html
- Handler: handlers_totp.go (enroll start, confirm, admin remove)
Security: Password re-auth before secret generation (SEC-01).
Lockout checked before Argon2. CSRF on all endpoints. Single-use
enrollment nonces with expiry. TOTP counter replay prevention
(CRIT-01). Self-removal not permitted (admin only).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 17:39:45 -07:00
..
2026-03-11 18:02:53 -07:00
2026-03-11 18:02:53 -07:00
2026-03-11 19:23:34 -07:00
2026-03-11 18:02:53 -07:00
2026-03-12 15:33:19 -07:00
2026-03-12 14:38:38 -07:00
2026-03-12 11:38:57 -07:00
2026-03-16 15:25:51 -07:00
2026-03-12 14:38:38 -07:00
2026-03-11 18:02:53 -07:00
2026-03-11 23:24:03 -07:00
2026-03-15 14:40:16 -07:00
2026-03-15 14:40:16 -07:00
2026-03-16 17:39:45 -07:00
2026-03-16 17:39:45 -07:00
2026-03-11 20:33:04 -07:00
2026-03-16 16:12:59 -07:00
2026-03-16 16:12:59 -07:00