pgz-sport

damir/pgz-sport

Fork 0

Commit Graph

Author	SHA1	Message	Date
Damir Radulić	bd3773434e	CC2 R4 #6 : real TOTP 2FA (setup + verify + disable + login flow) - auth/auth_v2.py: - pyotp-based TOTP (RFC 6238, base32 secret, ±30s window) - new pgz_sport.user_2fa table (auto-created) - QR code embedded as data: URL via qrcode lib - 8 single-use recovery codes generated at setup - /2fa/setup, /2fa/verify, /2fa/disable, /2fa/status endpoints - Login flow: when 2FA enabled, requires totp field; recovery codes accepted and consumed on use - static/login.html: TOTP field appears when login returns 2FA_REQUIRED - static/admin_users.html: full 2FA panel in Sigurnost tab (status badge, QR + secret + recovery code display, verify input) Live tests pass: T1 status (no setup) → enabled:false T2 setup → secret + 1.5KB QR PNG + 8 recovery codes T3 verify wrong code → 401 T4 verify real TOTP → enabled:true T5 login w/o TOTP after enable → 401 detail=2FA_REQUIRED T6 login w/ TOTP → 200	2026-05-05 00:50:28 +02:00
Damir Radulić	a0db65fc31	CC2 R4 #4 : /api/users/me/gdpr-export alias - New auth.gdpr.me_router prefix /api/users/me with: - GET/POST /gdpr-export → Art.20 JSON download with Content-Disposition - POST /gdpr-erase → Art.17 erasure request - GET /gdpr-consent → consent history for caller - jsonable_encoder fixes datetime serialisation in JSONResponse - admin_users.html: 'Izvezi moje podatke' now POSTs to alias and uses filename from Content-Disposition header - 401 enforced on no-auth, 200 on valid Bearer (verified live)	2026-05-05 00:47:22 +02:00

Author

SHA1

Message

Date

Damir Radulić

bd3773434e

CC2 R4 #6 : real TOTP 2FA (setup + verify + disable + login flow)

- auth/auth_v2.py:
  - pyotp-based TOTP (RFC 6238, base32 secret, ±30s window)
  - new pgz_sport.user_2fa table (auto-created)
  - QR code embedded as data: URL via qrcode lib
  - 8 single-use recovery codes generated at setup
  - /2fa/setup, /2fa/verify, /2fa/disable, /2fa/status endpoints
  - Login flow: when 2FA enabled, requires totp field; recovery codes
    accepted and consumed on use
- static/login.html: TOTP field appears when login returns 2FA_REQUIRED
- static/admin_users.html: full 2FA panel in Sigurnost tab
  (status badge, QR + secret + recovery code display, verify input)

Live tests pass:
  T1 status (no setup) → enabled:false
  T2 setup → secret + 1.5KB QR PNG + 8 recovery codes
  T3 verify wrong code → 401
  T4 verify real TOTP → enabled:true
  T5 login w/o TOTP after enable → 401 detail=2FA_REQUIRED
  T6 login w/ TOTP → 200

2026-05-05 00:50:28 +02:00

Damir Radulić

a0db65fc31

CC2 R4 #4 : /api/users/me/gdpr-export alias

- New auth.gdpr.me_router prefix /api/users/me with:
  - GET/POST /gdpr-export → Art.20 JSON download with Content-Disposition
  - POST /gdpr-erase → Art.17 erasure request
  - GET /gdpr-consent → consent history for caller
- jsonable_encoder fixes datetime serialisation in JSONResponse
- admin_users.html: 'Izvezi moje podatke' now POSTs to alias and uses
  filename from Content-Disposition header
- 401 enforced on no-auth, 200 on valid Bearer (verified live)

2026-05-05 00:47:22 +02:00

2 Commits