Skip to content

feat: TOTP AUTH FOR WEB PANEL#61

Merged
Soju06 merged 11 commits intoSoju06:mainfrom
dwnmf:feat/totp
Feb 10, 2026
Merged

feat: TOTP AUTH FOR WEB PANEL#61
Soju06 merged 11 commits intoSoju06:mainfrom
dwnmf:feat/totp

Conversation

@dwnmf
Copy link
Copy Markdown
Contributor

@dwnmf dwnmf commented Feb 6, 2026

Hello Soju06,

This PR introduces optional TOTP authentication for dashboard access with a compact end-to-end flow.

What’s included

  • Added optional "require TOTP on every dashboard login" setting.
  • Added dashboard auth API for:
    • session status
    • TOTP setup start/confirm
    • TOTP verify
    • TOTP disable
    • logout
  • Added QR-based TOTP onboarding (plus secret and otpauth URI fallback).
  • Added middleware guard for dashboard API routes when TOTP enforcement is enabled.
  • Added replay protection for TOTP time steps.
  • Extended dashboard settings model + migration for TOTP fields.
  • Updated frontend settings UI and login verification behavior.

UX improvements

  • Invalid TOTP no longer allows partial/empty dashboard loading.
  • After successful TOTP verification, user is redirected to /dashboard.

Validation

  • Ruff checks pass.
  • Full test suite passes (173 passed, 1 skipped).

Thanks for reviewing.

@dwnmf dwnmf mentioned this pull request Feb 6, 2026
Closed
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ecc461fca5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/modules/dashboard_auth/service.py
Comment on lines +125 to +126
secret = self._encryptor.decrypt(secret_encrypted)
verification = verify_totp_code(secret, code, window=1)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply replay protection when disabling TOTP

The replay-protection state (totp_last_verified_step) is only enforced in verify_totp, but disable_totp calls verify_totp_code without passing last_verified_step and does not update it. This means a code that was already used successfully in the same 30‑second time step can be replayed to disable TOTP, undermining the “replay protection” guarantee when the disable endpoint is hit within that window. Consider passing last_verified_step (and updating it) here to block reuse across all TOTP‑gated actions.

Useful? React with 👍 / 👎.

dwnmf and others added 8 commits February 6, 2026 23:28
@dwnmf
feat: TOTP AUTH FOR WEB PANEL
eb9d4bc 
feat: TOTP AUTH FOR WEB PANEL
@GODIMONGO
feat: add SSL support to API server and update .gitignore
d4b5955
@dwnmf
Merge pull request #2 from GODIMONGO/main
e5b6781 
add SSL support
@Soju06
Merge remote-tracking branch 'origin/main' into codex/pr-61
03fd6d1 
# Conflicts:
#	app/dependencies.py
#	app/main.py
#	app/static/index.js
@Soju06
fix(dashboard-auth): harden totp setup and sessions
e07c055
@Soju06
fix(dashboard-auth): harden totp setup and replay protection
e52871a
@Soju06
chore(lint): ruff import formatting
109fd5d
@Soju06
fix(dashboard): harden TOTP setup and settings
a834144 
- Require X-Codex-LB-Setup-Token for TOTP setup endpoints (fail-closed)\n- Load totpRequiredOnLogin/totpConfigured before saving settings\n- Sync uv.lock for segno
@Soju06
Copy link
Copy Markdown
Owner

Soju06 commented Feb 10, 2026

This is a great feature!
Thank you for your contribution

@Soju06 Soju06 added the enhancement New feature or request label Feb 10, 2026
@Soju06
Copy link
Copy Markdown
Owner

Soju06 commented Feb 10, 2026

@all-contributors please add @dwnmf for code, test

@allcontributors allcontributors Bot mentioned this pull request Feb 10, 2026
Merged
@allcontributors
Copy link
Copy Markdown
Contributor

allcontributors Bot commented Feb 10, 2026

@Soju06

I've put up a pull request to add @dwnmf! 🎉

Soju06 and others added 2 commits February 10, 2026 15:55
@Soju06
docs(README): add TOTP configuration instructions for dashboard
e17840d 
- Introduced a new section detailing the setup of TOTP two-factor authentication for the dashboard.
- Included steps for setting the setup token and enabling TOTP in the dashboard settings.
@Soju06 @cursoragent
chore: trigger PR sync
894bb55 
Co-authored-by: Cursor <cursoragent@cursor.com>
@Soju06 Soju06 merged commit d05df1e into Soju06:main Feb 10, 2026
6 checks passed
@Soju06 Soju06 mentioned this pull request Feb 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

@Soju06 Soju06

@dwnmf dwnmf

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dwnmf @Soju06 @GODIMONGO