database/migrations/017_add_two_factor_authentication.sql

-- Add Two-Factor Authentication (2FA) support
-- TOTP (Time-based One-Time Password) implementation

-- Add 2FA fields to users table
ALTER TABLE users 
ADD COLUMN two_factor_enabled BOOLEAN DEFAULT FALSE AFTER email_verified,
ADD COLUMN two_factor_secret VARCHAR(32) NULL AFTER two_factor_enabled,
ADD COLUMN two_factor_backup_codes TEXT NULL AFTER two_factor_secret,
ADD COLUMN two_factor_setup_at TIMESTAMP NULL AFTER two_factor_backup_codes;

-- Create table for 2FA verification attempts (for rate limiting and security)
CREATE TABLE IF NOT EXISTS two_factor_verification_attempts (
    id INT AUTO_INCREMENT PRIMARY KEY,
    user_id INT NOT NULL,
    ip_address VARCHAR(45) NOT NULL,
    success BOOLEAN DEFAULT FALSE,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
    INDEX idx_user_id (user_id),
    INDEX idx_ip_address (ip_address),
    INDEX idx_created_at (created_at)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

-- Create table for 2FA email codes (backup method)
CREATE TABLE IF NOT EXISTS two_factor_email_codes (
    id INT AUTO_INCREMENT PRIMARY KEY,
    user_id INT NOT NULL,
    code VARCHAR(6) NOT NULL,
    expires_at TIMESTAMP NOT NULL,
    used BOOLEAN DEFAULT FALSE,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
    INDEX idx_user_id (user_id),
    INDEX idx_code (code),
    INDEX idx_expires_at (expires_at),
    INDEX idx_used (used)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

-- Add 2FA policy setting
INSERT INTO settings (setting_key, setting_value) VALUES
('two_factor_policy', 'optional'),
('two_factor_rate_limit_minutes', '15'),
('two_factor_email_code_expiry_minutes', '10')
ON DUPLICATE KEY UPDATE setting_key=setting_key;
Add two-factor authentication (2FA) support Introduces two-factor authentication (2FA) with TOTP, backup codes, and email codes. Adds controllers, services, views, and migration for 2FA setup, verification, and management. Updates user and settings models, email helper, and relevant controllers to support 2FA policy enforcement, configuration, and user flows. Enhances security by allowing admins to require or disable 2FA, and provides backup code generation and management for account recovery. 2025-10-16 17:25:06 +03:00			`-- Add Two-Factor Authentication (2FA) support`
			`-- TOTP (Time-based One-Time Password) implementation`

			`-- Add 2FA fields to users table`
			`ALTER TABLE users`
			`ADD COLUMN two_factor_enabled BOOLEAN DEFAULT FALSE AFTER email_verified,`
			`ADD COLUMN two_factor_secret VARCHAR(32) NULL AFTER two_factor_enabled,`
			`ADD COLUMN two_factor_backup_codes TEXT NULL AFTER two_factor_secret,`
			`ADD COLUMN two_factor_setup_at TIMESTAMP NULL AFTER two_factor_backup_codes;`

			`-- Create table for 2FA verification attempts (for rate limiting and security)`
			`CREATE TABLE IF NOT EXISTS two_factor_verification_attempts (`
			`id INT AUTO_INCREMENT PRIMARY KEY,`
			`user_id INT NOT NULL,`
			`ip_address VARCHAR(45) NOT NULL,`
			`success BOOLEAN DEFAULT FALSE,`
			`created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,`
			`FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,`
			`INDEX idx_user_id (user_id),`
			`INDEX idx_ip_address (ip_address),`
			`INDEX idx_created_at (created_at)`
			`) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;`

			`-- Create table for 2FA email codes (backup method)`
			`CREATE TABLE IF NOT EXISTS two_factor_email_codes (`
			`id INT AUTO_INCREMENT PRIMARY KEY,`
			`user_id INT NOT NULL,`
			`code VARCHAR(6) NOT NULL,`
			`expires_at TIMESTAMP NOT NULL,`
			`used BOOLEAN DEFAULT FALSE,`
			`created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,`
			`FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,`
			`INDEX idx_user_id (user_id),`
			`INDEX idx_code (code),`
			`INDEX idx_expires_at (expires_at),`
			`INDEX idx_used (used)`
			`) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;`

			`-- Add 2FA policy setting`
			`INSERT INTO settings (setting_key, setting_value) VALUES`
			`('two_factor_policy', 'optional'),`
			`('two_factor_rate_limit_minutes', '15'),`
			`('two_factor_email_code_expiry_minutes', '10')`
			`ON DUPLICATE KEY UPDATE setting_key=setting_key;`