From 6dffdf91e5890df574a8d34246cd5fe46182c433 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Apr 2026 04:24:54 +0200 Subject: [PATCH] Sliding 24h idle timeout (web) + persistent mobile + 2FA backup codes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Session model: Web — 24h sliding idle timeout enforced server-side via user_sessions.last_activity. 30-day JWT + cookie are a safety net; middleware is the real clock. Cookie is re-set on active use so browsers match the sliding window. Mobile — 365-day JWT, no idle timeout (stays persistent via Keychain / Keystore). Detected via User-Agent ("PedScribe" / "Capacitor") or X-Client: mobile header. 2FA backup codes: - 10 single-use codes generated when 2FA is first enabled - Stored as bcrypt hashes in new users.totp_backup_codes column - Consumed atomically on successful login fallback (when TOTP fails) - Regenerate endpoint (POST /api/auth/2fa/backup-codes) requires current password; invalidates prior codes - Count endpoint (GET /api/auth/2fa/backup-codes/count) powers a "N codes remaining" indicator on the 2FA settings card - Modal shows codes exactly once with Copy + Download .txt actions - Codes cleared when 2FA is disabled New files: src/utils/platform.js — isMobileClient() helper Schema migration (idempotent): ALTER TABLE users ADD COLUMN IF NOT EXISTS totp_backup_codes TEXT --- public/components/settings.html | 1 + public/js/auth.js | 100 +++++++++++++++++++++++++ src/db/database.js | 2 + src/middleware/auth.js | 34 ++++++++- src/routes/auth.js | 128 +++++++++++++++++++++++++++++--- src/routes/oidc.js | 5 +- src/utils/platform.js | 12 +++ 7 files changed, 265 insertions(+), 17 deletions(-) create mode 100644 src/utils/platform.js diff --git a/public/components/settings.html b/public/components/settings.html index e22722c..c5eec2d 100644 --- a/public/components/settings.html +++ b/public/components/settings.html @@ -110,6 +110,7 @@

Status: Loading...

+