Summary
v1.7 ships two-factor authentication (TOTP + backup codes) end-to-end, plus a batch of stability, security, and ops hardening from the v1.7 roadmap.
2FA (TOTP)
- New TOTP columns on
usersand encrypted secret storage (totp-crypto.ts) - RFC 6238 TOTP service with backup codes (totp-service.ts, totp.ts)
- Endpoints:
POST /api/v1/auth/2fa/{setup,verify,disable}andPOST /api/v1/auth/login/totp - Login branches on
totp_enabledand returns a short-lived partial-auth token (partial-auth-token.ts) - Settings 2FA wizard (two-factor-card.tsx) and login TOTP step (login-form.tsx)
- Audit fixes: race conditions, brute-force protection (rate-limit.ts), single-use backup codes, no secret leakage
Stability & security
- Require authenticated session on SSE stream routes
- Arch test guards new
app/api/v1/**routes against missing session auth - Bound files search walk with a deadline and yield the event loop
- Cap
docker composesubprocesses with a configurable timeout - Purge cached app-operation events after a grace window; unref docker pull progress interval
- Restore missing
busboydependency
Ops
- Multi-arch Docker image (linux/amd64 + linux/arm64)
- Cap Node.js heap and container memory for Pi safety
- Fix install script: escape nginx variables in heredoc
- Refresh README/ROADMAP, screenshots, Sponsors badge
Test plan
-
npm run lint -
npm run test - Manual: enable 2FA in settings, log out, log in with TOTP, then with a backup code
- Manual: disable 2FA flow
- Manual: rate-limit kicks in after repeated bad codes
- Manual: SSE stream routes reject unauthenticated requests
- Verify multi-arch image builds in CI