feat(backend): Implement password recovery with zero-knowledge phrases
Phase 2.4 - Password Recovery Feature Features implemented: - Zero-knowledge password recovery using recovery phrases - Recovery phrases hashed with PBKDF2 (same as passwords) - Setup recovery phrase endpoint (protected) - Verify recovery phrase endpoint (public) - Reset password with recovery phrase endpoint (public) - Token invalidation on password reset - Email verification stub fields added to User model New API endpoints: - POST /api/auth/recovery/setup (protected) - POST /api/auth/recovery/verify (public) - POST /api/auth/recovery/reset-password (public) User model updates: - recovery_phrase_hash field - recovery_enabled field - email_verified field (stub) - verification_token field (stub) - verification_expires field (stub) Security features: - Zero-knowledge proof (server never sees plaintext) - Current password required to set/update phrase - All tokens invalidated on password reset - Token version incremented on password change Files modified: - backend/src/models/user.rs - backend/src/handlers/auth.rs - backend/src/main.rs - backend/src/auth/jwt.rs Documentation: - backend/PASSWORD-RECOVERY-IMPLEMENTED.md - backend/test-password-recovery.sh - backend/PHASE-2.4-TODO.md (updated progress)
This commit is contained in:
goose
parent
7845c56bbb
commit
cdbf6f4523
6 changed files with 1363 additions and 440 deletions
|
|
@ -84,6 +84,9 @@ async fn main() -> anyhow::Result<()> {
|
|||
.route("/api/auth/login", post(handlers::login))
|
||||
.route("/api/auth/refresh", post(handlers::refresh_token))
|
||||
.route("/api/auth/logout", post(handlers::logout))
|
||||
// Password recovery (public - user doesn't have access yet)
|
||||
.route("/api/auth/recovery/verify", post(handlers::verify_recovery))
|
||||
.route("/api/auth/recovery/reset-password", post(handlers::reset_password))
|
||||
.layer(
|
||||
ServiceBuilder::new()
|
||||
.layer(TraceLayer::new_for_http())
|
||||
|
|
@ -91,7 +94,10 @@ async fn main() -> anyhow::Result<()> {
|
|||
);
|
||||
|
||||
let protected_routes = Router::new()
|
||||
// Profile management
|
||||
.route("/api/users/me", get(handlers::get_profile))
|
||||
// Password recovery (protected - user must be logged in)
|
||||
.route("/api/auth/recovery/setup", post(handlers::setup_recovery))
|
||||
.layer(
|
||||
ServiceBuilder::new()
|
||||
.layer(TraceLayer::new_for_http())
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue