feat(EE): MFA implementation (#1381)

* feat(EE): MFA implementation for enterprise edition
- Add TOTP-based two-factor authentication
- Add backup codes support
- Add MFA enforcement at workspace level
- Add MFA setup and challenge UI pages
- Support MFA for login and password reset flows
- Add MFA validation for secure pages
* fix types
* remove unused object
* sync
* remove unused type
* sync
* refactor: rename MFA enabled field to is_enabled
* sync

apps/server/src/core/auth/auth.controller.ts

@@ -6,6 +6,7 @@ import {
   Post,
   Res,
   UseGuards,
+  Logger,
 } from '@nestjs/common';
 import { LoginDto } from './dto/login.dto';
 import { AuthService } from './services/auth.service';
@@ -22,12 +23,16 @@ import { PasswordResetDto } from './dto/password-reset.dto';
 import { VerifyUserTokenDto } from './dto/verify-user-token.dto';
 import { FastifyReply } from 'fastify';
 import { validateSsoEnforcement } from './auth.util';
+import { ModuleRef } from '@nestjs/core';
 
 @Controller('auth')
 export class AuthController {
+  private readonly logger = new Logger(AuthController.name);
+
   constructor(
     private authService: AuthService,
     private environmentService: EnvironmentService,
+    private moduleRef: ModuleRef,
   ) {}
 
   @HttpCode(HttpStatus.OK)
@@ -39,6 +44,45 @@ export class AuthController {
   ) {
     validateSsoEnforcement(workspace);
 
+    let MfaModule: any;
+    let isMfaModuleReady = false;
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      MfaModule = require('./../../ee/mfa/services/mfa.service');
+      isMfaModuleReady = true;
+    } catch (err) {
+      this.logger.debug(
+        'MFA module requested but EE module not bundled in this build',
+      );
+      isMfaModuleReady = false;
+    }
+    if (isMfaModuleReady) {
+      const mfaService = this.moduleRef.get(MfaModule.MfaService, {
+        strict: false,
+      });
+
+      const mfaResult = await mfaService.checkMfaRequirements(
+        loginInput,
+        workspace,
+        res,
+      );
+
+      if (mfaResult) {
+        // If user has MFA enabled OR workspace enforces MFA, require MFA verification
+        if (mfaResult.userHasMfa || mfaResult.requiresMfaSetup) {
+          return {
+            userHasMfa: mfaResult.userHasMfa,
+            requiresMfaSetup: mfaResult.requiresMfaSetup,
+            isMfaEnforced: mfaResult.isMfaEnforced,
+          };
+        } else if (mfaResult.authToken) {
+          // User doesn't have MFA and workspace doesn't require it
+          this.setAuthCookie(res, mfaResult.authToken);
+          return;
+        }
+      }
+    }
+
     const authToken = await this.authService.login(loginInput, workspace.id);
     this.setAuthCookie(res, authToken);
   }
@@ -85,11 +129,22 @@ export class AuthController {
     @Body() passwordResetDto: PasswordResetDto,
     @AuthWorkspace() workspace: Workspace,
   ) {
-    const authToken = await this.authService.passwordReset(
+    const result = await this.authService.passwordReset(
       passwordResetDto,
-      workspace.id,
+      workspace,
     );
-    this.setAuthCookie(res, authToken);
+
+    if (result.requiresLogin) {
+      return {
+        requiresLogin: true,
+      };
+    }
+
+    // Set auth cookie if no MFA is required
+    this.setAuthCookie(res, result.authToken);
+    return {
+      requiresLogin: false,
+    };
   }
 
   @HttpCode(HttpStatus.OK)