Hartmut afabaa0b7a fix(security): prevent TOTP replay attacks and fix user enumeration in verifyTotp ...

Adds lastTotpAt timestamp to User model. After a successful TOTP validation,
the timestamp is recorded. Any reuse of the same code within the 30-second
window is rejected as a replay attack.

verifyTotp now returns a single generic UNAUTHORIZED error regardless of
whether the user ID is invalid or TOTP is not enabled, preventing enumeration
of user IDs and MFA status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 21:41:09 +02:00

..

__tests__

feat(api): add audit helpers, tool registry, shared tool manifest types, and UI primitives

2026-04-09 21:14:26 +02:00

db

Merge branch 'worktree-agent-aed43cff'

2026-04-09 19:31:50 +02:00

lib

feat(api): add audit helpers, tool registry, shared tool manifest types, and UI primitives

2026-04-09 21:14:26 +02:00

middleware

security: implement tickets #28-#35 + architecture decision #30

2026-04-01 23:25:06 +02:00

router

fix(security): prevent TOTP replay attacks and fix user enumeration in verifyTotp

2026-04-09 21:41:09 +02:00

sse

fix(api,web): env startup validation, QueryClient defaults, warn on missing REDIS_URL

2026-04-09 16:42:34 +02:00

ai-client.ts

feat(platform): checkpoint current implementation state

2026-04-01 07:42:03 +02:00

gemini-client.ts

refactor(runtime): prefer env-backed secrets at runtime

2026-03-30 19:17:32 +02:00

index.ts

fix(api,web): env startup validation, QueryClient defaults, warn on missing REDIS_URL

2026-04-09 16:42:34 +02:00

trpc.ts

fix(api): add centralized Prisma → TRPCError middleware on protectedProcedure

2026-04-09 19:58:00 +02:00