feat: MFA (#12290)

## Linear: - https://github.com/chatwoot/chatwoot/issues/486 ## Description This PR implements Multi-Factor Authentication (MFA) support for user accounts, enhancing security by requiring a second form of verification during login. The feature adds TOTP (Time-based One-Time Password) authentication with QR code generation and backup codes for account recovery. ## Type of change - [ ] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? - Added comprehensive RSpec tests for MFA controller functionality - Tested MFA setup flow with QR code generation - Verified OTP validation and backup code generation - Tested login flow with MFA enabled/disabled ## Checklist: - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my code - [ ] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Pranav <pranav@chatwoot.com> Co-authored-by: Sojan Jose <sojan@pepalo.com> Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-09-18 16:49:24 +02:00
parent f03a52bd77
commit 239c4dcb91
33 changed files with 1345 additions and 37 deletions
--- a/app/models/super_admin.rb
+++ b/app/models/super_admin.rb
@@ -7,6 +7,7 @@
 #  confirmation_sent_at   :datetime
 #  confirmation_token     :string
 #  confirmed_at           :datetime
+#  consumed_timestep      :integer
 #  current_sign_in_at     :datetime
 #  current_sign_in_ip     :string
 #  custom_attributes      :jsonb
@@ -17,6 +18,9 @@
 #  last_sign_in_ip        :string
 #  message_signature      :text
 #  name                   :string           not null
+#  otp_backup_codes       :text
+#  otp_required_for_login :boolean          default(FALSE), not null
+#  otp_secret             :string
 #  provider               :string           default("email"), not null
 #  pubsub_token           :string
 #  remember_created_at    :datetime
@@ -33,10 +37,12 @@
 #
 # Indexes
 #
-#  index_users_on_email                 (email)
-#  index_users_on_pubsub_token          (pubsub_token) UNIQUE
-#  index_users_on_reset_password_token  (reset_password_token) UNIQUE
-#  index_users_on_uid_and_provider      (uid,provider) UNIQUE
+#  index_users_on_email                   (email)
+#  index_users_on_otp_required_for_login  (otp_required_for_login)
+#  index_users_on_otp_secret              (otp_secret) UNIQUE
+#  index_users_on_pubsub_token            (pubsub_token) UNIQUE
+#  index_users_on_reset_password_token    (reset_password_token) UNIQUE
+#  index_users_on_uid_and_provider        (uid,provider) UNIQUE
 #
 class SuperAdmin < User
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -7,6 +7,7 @@
 #  confirmation_sent_at   :datetime
 #  confirmation_token     :string
 #  confirmed_at           :datetime
+#  consumed_timestep      :integer
 #  current_sign_in_at     :datetime
 #  current_sign_in_ip     :string
 #  custom_attributes      :jsonb
@@ -17,6 +18,9 @@
 #  last_sign_in_ip        :string
 #  message_signature      :text
 #  name                   :string           not null
+#  otp_backup_codes       :text
+#  otp_required_for_login :boolean          default(FALSE), not null
+#  otp_secret             :string
 #  provider               :string           default("email"), not null
 #  pubsub_token           :string
 #  remember_created_at    :datetime
@@ -33,10 +37,12 @@
 #
 # Indexes
 #
-#  index_users_on_email                 (email)
-#  index_users_on_pubsub_token          (pubsub_token) UNIQUE
-#  index_users_on_reset_password_token  (reset_password_token) UNIQUE
-#  index_users_on_uid_and_provider      (uid,provider) UNIQUE
+#  index_users_on_email                   (email)
+#  index_users_on_otp_required_for_login  (otp_required_for_login)
+#  index_users_on_otp_secret              (otp_secret) UNIQUE
+#  index_users_on_pubsub_token            (pubsub_token) UNIQUE
+#  index_users_on_reset_password_token    (reset_password_token) UNIQUE
+#  index_users_on_uid_and_provider        (uid,provider) UNIQUE
 #

 class User < ApplicationRecord
@@ -58,6 +64,7 @@ class User < ApplicationRecord
         :validatable,
         :confirmable,
         :password_has_required_content,
+         :two_factor_authenticatable,
         :omniauthable, omniauth_providers: [:google_oauth2, :saml]

  # TODO: remove in a future version once online status is moved to account users
@@ -70,6 +77,12 @@ class User < ApplicationRecord

  validates :email, presence: true

+  serialize :otp_backup_codes, type: Array
+
+  # Encrypt sensitive MFA fields
+  encrypts :otp_secret, deterministic: true
+  encrypts :otp_backup_codes
+
  has_many :account_users, dependent: :destroy_async
  has_many :accounts, through: :account_users
  accepts_nested_attributes_for :account_users
@@ -156,6 +169,27 @@ class User < ApplicationRecord
    find_by(email: email&.downcase)
  end

+  # 2FA/MFA Methods
+  # Delegated to Mfa::ManagementService for better separation of concerns
+  def mfa_service
+    @mfa_service ||= Mfa::ManagementService.new(user: self)
+  end
+
+  delegate :two_factor_provisioning_uri, to: :mfa_service
+  delegate :backup_codes_generated?, to: :mfa_service
+  delegate :enable_two_factor!, to: :mfa_service
+  delegate :disable_two_factor!, to: :mfa_service
+  delegate :generate_backup_codes!, to: :mfa_service
+  delegate :validate_backup_code!, to: :mfa_service
+
+  def mfa_enabled?
+    otp_required_for_login?
+  end
+
+  def mfa_feature_available?
+    Chatwoot.mfa_enabled?
+  end
+
  private

  def remove_macros