feat: add TOTP 2FA, API key switcher, login progress bar, and alpha hardening plan

- TOTP 2FA: full setup/confirm/disable/login flow with Argon2id + ChaCha20-Poly1305
  encrypted secret storage, QR code generation, and bcrypt-hashed backup codes
- API key switcher: OAuth vs personal API key toggle in AIUI chat settings with
  status indicator, key validation, and help text
- Login progress bar: server startup detection with health check polling, form
  disabled until server is ready
- AI quarantine docs: comprehensive HTML page documenting all 6 security layers
- Settings: AI Data Access permission toggles with per-category control
- Alpha hardening plan: 28-task overnight automation plan across 7 phases
  (onboarding, login, app install, AIUI, UI polish, security, ISO build)
- Backlog: node discovery spatial map feature for alpha demo

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-06 12:23:57 +00:00
parent 0b3c23ff76
commit e55fd3baf0
16 changed files with 2402 additions and 152 deletions

View File

@@ -5,6 +5,7 @@ mod lnd;
mod node;
mod package;
mod peers;
mod totp;
use crate::auth::AuthManager;
use crate::config::Config;
@@ -44,6 +45,8 @@ pub(crate) const DEV_DEFAULT_PASSWORD: &str = "password123";
/// Methods that do not require a valid session cookie.
const UNAUTHENTICATED_METHODS: &[&str] = &[
"auth.login",
"auth.login.totp",
"auth.login.backup",
"auth.isOnboardingComplete",
"health",
];
@@ -150,54 +153,70 @@ impl RpcHandler {
}
}
// Extract params; clone for post-routing use (login 2FA check needs password)
let params = rpc_req.params;
let login_params: Option<serde_json::Value> = if rpc_req.method == "auth.login" {
params.clone()
} else {
None
};
// Route to handler
let result = match rpc_req.method.as_str() {
"echo" => self.handle_echo(rpc_req.params).await,
"server.echo" => self.handle_echo(rpc_req.params).await,
"auth.login" => self.handle_auth_login(rpc_req.params).await,
"echo" => self.handle_echo(params).await,
"server.echo" => self.handle_echo(params).await,
"auth.login" => self.handle_auth_login(params).await,
"auth.logout" => self.handle_auth_logout().await,
"auth.changePassword" => self.handle_auth_change_password(rpc_req.params).await,
"auth.changePassword" => self.handle_auth_change_password(params).await,
"auth.onboardingComplete" => self.handle_auth_onboarding_complete().await,
"auth.isOnboardingComplete" => self.handle_auth_is_onboarding_complete().await,
"auth.resetOnboarding" => self.handle_auth_reset_onboarding().await,
// Container orchestration (for Archipelago-managed containers)
"container-install" => self.handle_container_install(rpc_req.params).await,
"container-start" => self.handle_container_start(rpc_req.params).await,
"container-stop" => self.handle_container_stop(rpc_req.params).await,
"container-remove" => self.handle_container_remove(rpc_req.params).await,
"container-install" => self.handle_container_install(params).await,
"container-start" => self.handle_container_start(params).await,
"container-stop" => self.handle_container_stop(params).await,
"container-remove" => self.handle_container_remove(params).await,
"container-list" => self.handle_container_list().await,
"container-status" => self.handle_container_status(rpc_req.params).await,
"container-logs" => self.handle_container_logs(rpc_req.params).await,
"container-health" => self.handle_container_health(rpc_req.params).await,
"container-status" => self.handle_container_status(params).await,
"container-logs" => self.handle_container_logs(params).await,
"container-health" => self.handle_container_health(params).await,
// Package management (for docker-compose apps)
"package.install" => self.handle_package_install(rpc_req.params).await,
"package.start" => self.handle_package_start(rpc_req.params).await,
"package.stop" => self.handle_package_stop(rpc_req.params).await,
"package.restart" => self.handle_package_restart(rpc_req.params).await,
"package.uninstall" => self.handle_package_uninstall(rpc_req.params).await,
"package.install" => self.handle_package_install(params).await,
"package.start" => self.handle_package_start(params).await,
"package.stop" => self.handle_package_stop(params).await,
"package.restart" => self.handle_package_restart(params).await,
"package.uninstall" => self.handle_package_uninstall(params).await,
// Bundled app management (for pre-loaded container images)
"bundled-app-start" => self.handle_bundled_app_start(rpc_req.params).await,
"bundled-app-stop" => self.handle_bundled_app_stop(rpc_req.params).await,
"bundled-app-start" => self.handle_bundled_app_start(params).await,
"bundled-app-stop" => self.handle_bundled_app_stop(params).await,
// Node identity and P2P peers
"node-add-peer" => self.handle_node_add_peer(rpc_req.params).await,
"node-add-peer" => self.handle_node_add_peer(params).await,
"node-list-peers" => self.handle_node_list_peers().await,
"node-remove-peer" => self.handle_node_remove_peer(rpc_req.params).await,
"node-send-message" => self.handle_node_send_message(rpc_req.params).await,
"node-check-peer" => self.handle_node_check_peer(rpc_req.params).await,
"node-remove-peer" => self.handle_node_remove_peer(params).await,
"node-send-message" => self.handle_node_send_message(params).await,
"node-check-peer" => self.handle_node_check_peer(params).await,
"node-messages-received" => self.handle_node_messages_received().await,
"node-nostr-discover" => self.handle_node_nostr_discover().await,
"node.did" => self.handle_node_did().await,
"node.signChallenge" => self.handle_node_sign_challenge(rpc_req.params).await,
"node.createBackup" => self.handle_node_create_backup(rpc_req.params).await,
"node.signChallenge" => self.handle_node_sign_challenge(params).await,
"node.createBackup" => self.handle_node_create_backup(params).await,
"node.tor-address" => self.handle_node_tor_address().await,
"node.nostr-publish" => self.handle_node_nostr_publish().await,
"node.nostr-pubkey" => self.handle_node_nostr_pubkey().await,
"node-nostr-verify-revoked" => self.handle_node_nostr_verify_revoked().await,
// TOTP 2FA
"auth.totp.setup.begin" => self.handle_totp_setup_begin(params).await,
"auth.totp.setup.confirm" => self.handle_totp_setup_confirm(params).await,
"auth.totp.disable" => self.handle_totp_disable(params).await,
"auth.totp.status" => self.handle_totp_status().await,
"auth.login.totp" => self.handle_login_totp(params, &session_token).await,
"auth.login.backup" => self.handle_login_backup(params, &session_token).await,
// Bitcoin & Lightning deep data
"bitcoin.getinfo" => self.handle_bitcoin_getinfo().await,
"lnd.getinfo" => self.handle_lnd_getinfo().await,
@@ -241,17 +260,51 @@ impl RpcHandler {
self.login_rate_limiter.record_failure(client_ip).await;
}
// On successful login, create a session and set the cookie
// On successful login, check if 2FA is required
if rpc_req.method == "auth.login" && rpc_resp.error.is_none() {
let token = self.session_store.create().await;
response.headers_mut().insert(
"Set-Cookie",
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
.parse()
.unwrap(),
);
let totp_enabled = self.auth_manager.is_totp_enabled().await.unwrap_or(false);
if totp_enabled {
// 2FA enabled: create a pending session with cached TOTP secret
// We need the password to decrypt the TOTP secret for step 2
let password = login_params
.as_ref()
.and_then(|p| p.get("password"))
.and_then(|v| v.as_str())
.unwrap_or("");
if let Ok(Some(totp_data)) = self.auth_manager.get_totp_data().await {
if let Ok(secret) = crate::totp::decrypt_secret(&totp_data, password) {
let token = self.session_store.create_pending(secret).await;
response.headers_mut().insert(
"Set-Cookie",
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
.parse()
.unwrap(),
);
// Override the response body to indicate TOTP is required
let totp_body = serde_json::json!({
"result": { "requires_totp": true },
"error": null
});
*response.body_mut() = hyper::Body::from(
serde_json::to_vec(&totp_body).unwrap_or_default(),
);
}
}
} else {
// No 2FA: create a full session immediately
let token = self.session_store.create().await;
response.headers_mut().insert(
"Set-Cookie",
format!("session={}; HttpOnly; SameSite=Strict; Path=/", token)
.parse()
.unwrap(),
);
}
}
// On successful TOTP verification, the session is already upgraded to full
// (handled inside handle_login_totp/handle_login_backup)
// On logout, invalidate session and expire the cookie
if rpc_req.method == "auth.logout" {
if let Some(token) = &session_token {

View File

@@ -0,0 +1,257 @@
use super::RpcHandler;
use anyhow::Result;
impl RpcHandler {
/// Begin 2FA setup: generate TOTP secret, return QR code + base32 secret.
/// The secret is cached in a pending setup session (in memory only).
pub(super) async fn handle_totp_setup_begin(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let password = params
.get("password")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing password"))?;
// Re-verify password before setup
if !self.auth_manager.verify_password(password).await? {
anyhow::bail!("Password Incorrect");
}
// Check 2FA isn't already enabled
if self.auth_manager.is_totp_enabled().await? {
anyhow::bail!("2FA is already enabled. Disable it first.");
}
let setup = crate::totp::setup(password)?;
// Cache the setup result in a pending session so confirm can use it
// We store the encrypted TotpData and backup codes temporarily
let setup_json = serde_json::json!({
"totp_data": setup.totp_data,
"backup_codes": setup.backup_codes,
});
let setup_bytes = serde_json::to_vec(&setup_json)?;
let pending_token = self.session_store.create_pending(setup_bytes).await;
// Return QR + secret for display (the pending token is set as a cookie by mod.rs)
Ok(serde_json::json!({
"qr_svg": setup.qr_svg,
"secret_base32": setup.secret_base32,
"pending_token": pending_token,
}))
}
/// Confirm 2FA setup: verify the user's first TOTP code, enable 2FA, return backup codes.
pub(super) async fn handle_totp_setup_confirm(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let code = params
.get("code")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
let pending_token = params
.get("pendingToken")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing pendingToken"))?;
let password = params
.get("password")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing password"))?;
// Re-verify password
if !self.auth_manager.verify_password(password).await? {
anyhow::bail!("Password Incorrect");
}
// Retrieve the pending setup data
let setup_bytes = self
.session_store
.get_pending_secret(pending_token)
.await
.ok_or_else(|| anyhow::anyhow!("Setup session expired or invalid. Please start again."))?;
let setup_json: serde_json::Value = serde_json::from_slice(&setup_bytes)?;
let totp_data: crate::totp::TotpData =
serde_json::from_value(setup_json["totp_data"].clone())?;
let backup_codes: Vec<String> =
serde_json::from_value(setup_json["backup_codes"].clone())?;
// Decrypt and verify the TOTP code
let secret = crate::totp::decrypt_secret(&totp_data, password)?;
let step = crate::totp::verify_code(&secret, code, &[])?;
if step.is_none() {
anyhow::bail!("Invalid code. Please check your authenticator app and try again.");
}
// Persist TOTP data
self.auth_manager.save_totp(totp_data).await?;
// Clean up the pending session
self.session_store.remove(pending_token).await;
tracing::info!("2FA enabled successfully");
Ok(serde_json::json!({
"enabled": true,
"backup_codes": backup_codes,
}))
}
/// Disable 2FA. Requires password + current TOTP code.
pub(super) async fn handle_totp_disable(
&self,
params: Option<serde_json::Value>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let password = params
.get("password")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing password"))?;
let code = params
.get("code")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
// Verify password
if !self.auth_manager.verify_password(password).await? {
anyhow::bail!("Password Incorrect");
}
// Get and verify TOTP
let totp_data = self
.auth_manager
.get_totp_data()
.await?
.ok_or_else(|| anyhow::anyhow!("2FA is not enabled"))?;
let secret = crate::totp::decrypt_secret(&totp_data, password)?;
let step = crate::totp::verify_code(&secret, code, &totp_data.used_steps)?;
if step.is_none() {
anyhow::bail!("Invalid TOTP code");
}
self.auth_manager.remove_totp().await?;
tracing::info!("2FA disabled successfully");
Ok(serde_json::json!({ "disabled": true }))
}
/// Get 2FA status.
pub(super) async fn handle_totp_status(&self) -> Result<serde_json::Value> {
let enabled = self.auth_manager.is_totp_enabled().await?;
Ok(serde_json::json!({ "enabled": enabled }))
}
/// Step 2 of login: verify TOTP code using the cached secret from the pending session.
pub(super) async fn handle_login_totp(
&self,
params: Option<serde_json::Value>,
session_token: &Option<String>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let code = params
.get("code")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
let token = session_token
.as_ref()
.ok_or_else(|| anyhow::anyhow!("No pending session"))?;
let secret = self
.session_store
.get_pending_secret(token)
.await
.ok_or_else(|| {
anyhow::anyhow!("Session expired or too many attempts. Please log in again.")
})?;
// Get used steps from stored data for replay protection
let totp_data = self.auth_manager.get_totp_data().await?;
let used_steps = totp_data
.as_ref()
.map(|d| d.used_steps.clone())
.unwrap_or_default();
let step = crate::totp::verify_code(&secret, code, &used_steps)?;
match step {
Some(used_step) => {
// Record the used step for replay protection
if let Some(mut data) = totp_data {
data.used_steps.push(used_step);
// Prune old steps (keep only last 5 minutes worth)
let now = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs() as i64;
let cutoff = (now / 30) - 10; // ~5 minutes
data.used_steps.retain(|s| *s > cutoff);
let _ = self.auth_manager.update_totp(data).await;
}
// Upgrade pending session to full
self.session_store.upgrade_to_full(token).await;
Ok(serde_json::json!({ "success": true }))
}
None => {
anyhow::bail!("Invalid code. Please try again.");
}
}
}
/// Step 2 of login (alternative): verify backup code.
pub(super) async fn handle_login_backup(
&self,
params: Option<serde_json::Value>,
session_token: &Option<String>,
) -> Result<serde_json::Value> {
let params = params.ok_or_else(|| anyhow::anyhow!("Missing params"))?;
let code = params
.get("code")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing code"))?;
let token = session_token
.as_ref()
.ok_or_else(|| anyhow::anyhow!("No pending session"))?;
// Verify the pending session is valid (increments attempts)
let _secret = self
.session_store
.get_pending_secret(token)
.await
.ok_or_else(|| {
anyhow::anyhow!("Session expired or too many attempts. Please log in again.")
})?;
// Verify backup code against stored hashes
let mut totp_data = self
.auth_manager
.get_totp_data()
.await?
.ok_or_else(|| anyhow::anyhow!("2FA is not enabled"))?;
match crate::totp::verify_backup_code(&totp_data.backup_codes, code)? {
Some(idx) => {
// Remove the used backup code (one-time use)
totp_data.backup_codes.remove(idx);
self.auth_manager.update_totp(totp_data).await?;
// Upgrade pending session to full
self.session_store.upgrade_to_full(token).await;
tracing::info!("Login via backup code (codes remaining: {})",
self.auth_manager.get_totp_data().await?.map(|d| d.backup_codes.len()).unwrap_or(0));
Ok(serde_json::json!({ "success": true }))
}
None => {
anyhow::bail!("Invalid backup code");
}
}
}
}