normogen

alvaro/normogen

Fork 0

Commit graph

Author	SHA1	Message	Date
goose	378703bf1c	docs(phase-2.5): Complete access control implementation Some checks failed Lint and Build / Lint (push) Failing after 13m48s Details Lint and Build / Build (push) Has been skipped Details Lint and Build / Docker Build (push) Has been skipped Details	2026-02-15 21:15:17 -03:00
goose	cdbf6f4523	feat(backend): Implement password recovery with zero-knowledge phrases Phase 2.4 - Password Recovery Feature Features implemented: - Zero-knowledge password recovery using recovery phrases - Recovery phrases hashed with PBKDF2 (same as passwords) - Setup recovery phrase endpoint (protected) - Verify recovery phrase endpoint (public) - Reset password with recovery phrase endpoint (public) - Token invalidation on password reset - Email verification stub fields added to User model New API endpoints: - POST /api/auth/recovery/setup (protected) - POST /api/auth/recovery/verify (public) - POST /api/auth/recovery/reset-password (public) User model updates: - recovery_phrase_hash field - recovery_enabled field - email_verified field (stub) - verification_token field (stub) - verification_expires field (stub) Security features: - Zero-knowledge proof (server never sees plaintext) - Current password required to set/update phrase - All tokens invalidated on password reset - Token version incremented on password change Files modified: - backend/src/models/user.rs - backend/src/handlers/auth.rs - backend/src/main.rs - backend/src/auth/jwt.rs Documentation: - backend/PASSWORD-RECOVERY-IMPLEMENTED.md - backend/test-password-recovery.sh - backend/PHASE-2.4-TODO.md (updated progress)	2026-02-15 18:12:10 -03:00

Author

SHA1

Message

Date

goose

378703bf1c

docs(phase-2.5): Complete access control implementation

Lint and Build / Lint (push) Failing after 13m48s

Details

Lint and Build / Build (push) Has been skipped

Details

Lint and Build / Docker Build (push) Has been skipped

Details

2026-02-15 21:15:17 -03:00

goose

cdbf6f4523

feat(backend): Implement password recovery with zero-knowledge phrases

Phase 2.4 - Password Recovery Feature

Features implemented:
- Zero-knowledge password recovery using recovery phrases
- Recovery phrases hashed with PBKDF2 (same as passwords)
- Setup recovery phrase endpoint (protected)
- Verify recovery phrase endpoint (public)
- Reset password with recovery phrase endpoint (public)
- Token invalidation on password reset
- Email verification stub fields added to User model

New API endpoints:
- POST /api/auth/recovery/setup (protected)
- POST /api/auth/recovery/verify (public)
- POST /api/auth/recovery/reset-password (public)

User model updates:
- recovery_phrase_hash field
- recovery_enabled field
- email_verified field (stub)
- verification_token field (stub)
- verification_expires field (stub)

Security features:
- Zero-knowledge proof (server never sees plaintext)
- Current password required to set/update phrase
- All tokens invalidated on password reset
- Token version incremented on password change

Files modified:
- backend/src/models/user.rs
- backend/src/handlers/auth.rs
- backend/src/main.rs
- backend/src/auth/jwt.rs

Documentation:
- backend/PASSWORD-RECOVERY-IMPLEMENTED.md
- backend/test-password-recovery.sh
- backend/PHASE-2.4-TODO.md (updated progress)

2026-02-15 18:12:10 -03:00

2 commits