Problem
Single password is the only authentication factor. For admins running LinkBreeze on a public IP, 2FA would significantly improve security.
Proposed solution
Implement TOTP-based 2FA using a library like otplib:
- Setup flow: Admin goes to Settings → Security → Enable 2FA. Shows a QR code with the TOTP secret. User scans with Authenticator app (Google Authenticator, Authy, etc.), enters a code to verify.
- Login flow: After password check, if 2FA is enabled, prompt for TOTP code. Verify before creating session.
- Recovery codes: Generate one-time backup codes on setup.
Schema changes needed
Add to users table:
totp_secret (text, nullable) — encrypted TOTP secret
totp_enabled (boolean, default false)
recovery_codes (text, nullable) — JSON array of hashed codes
Acceptance criteria
Problem
Single password is the only authentication factor. For admins running LinkBreeze on a public IP, 2FA would significantly improve security.
Proposed solution
Implement TOTP-based 2FA using a library like
otplib:Schema changes needed
Add to
userstable:totp_secret(text, nullable) — encrypted TOTP secrettotp_enabled(boolean, default false)recovery_codes(text, nullable) — JSON array of hashed codesAcceptance criteria