Add TOTP/MFA (Google Authenticator-style time-based OTP)

[Copilot]

Implements RFC 6238 TOTP support with a TOTPStore interface for secret persistence, plus HTTP handlers covering the full enrollment and verification lifecycle.

auth package

• TOTPStore interface — CreateTOTPSecret, GetTOTPSecret, DeleteTOTPSecret; consuming apps implement against their DB layer
• TOTPSecret type — ID, UserID, Secret (unpadded base32; apps may store encrypted), CreatedAt
• ErrTOTPNotFound / ErrInvalidTOTPCode sentinel errors
• GenerateTOTPSecret() — 20-byte CSPRNG secret as unpadded base32
• TOTPProvisioningURI(secret, accountName, issuer) — standard otpauth://totp/… URI for QR display
• ValidateTOTP(secret, code) — HMAC-SHA1/RFC 4226 with ±1 step clock-skew window

handler package

TOTPHandler — router-agnostic, mirrors the existing handler patterns:

Endpoint	Description
GET /totp/status	{"enrolled": bool}
POST /totp/generate	Returns {secret, provisioning_uri}; no DB write — secret is unconfirmed
POST /totp/enroll	Accepts {secret, code}, verifies code, then persists
POST /totp/verify	Validates a code against the stored secret
DELETE /totp	Removes the enrolled secret

Enrollment is intentionally two-step: generate → user scans QR → enroll with first code, ensuring the authenticator is correctly configured before the secret is committed.

r.Get("/totp/status",    totpHandler.Status)
r.Post("/totp/generate", jwtMiddleware(totpHandler.Generate))
r.Post("/totp/enroll",   jwtMiddleware(totpHandler.Enroll))
r.Post("/totp/verify",   jwtMiddleware(totpHandler.Verify))
r.Delete("/totp",        jwtMiddleware(totpHandler.Disable))

[Copilot]

Pull request overview

Adds RFC 6238 TOTP-based MFA support to the auth and handler packages, introducing secret generation/validation utilities plus HTTP endpoints and tests to support enrollment, verification, status checks, and disabling.

Changes:

• Introduces auth-level TOTP primitives (GenerateTOTPSecret, TOTPProvisioningURI, ValidateTOTP) and HOTP implementation.
• Adds TOTPStore/TOTPSecret types and new sentinel errors for store/verification flows.
• Implements handler.TOTPHandler endpoints and comprehensive handler/unit tests for the lifecycle.

Show a summary per file

File	Description
auth/types.go	Adds TOTP store interface, secret model, and sentinel errors.
auth/totp.go	Implements secret generation, provisioning URI creation, and TOTP validation.
auth/totp_test.go	Adds unit coverage for TOTP/HOTP generation and validation behavior.
handler/totp.go	Adds HTTP handlers for generate/enroll/verify/status/disable TOTP flows.
handler/totp_test.go	Adds handler tests covering success/error paths across endpoints.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 4

[veverkap]

/grumpy

[github-actions]

😤 Fine. Grumpy Code Reviewer 🔥 finished the review. It wasn't completely terrible. I guess. 🙄

[github-actions]

The TOTP implementation is structurally sound — RFC 4226 vectors pass, the enrollment flow is two-step, tests exist. But there are real problems that need fixing before this merges: no replay protection (a fundamental MFA requirement), leaking database/sql through the interface abstraction, copy-pasted crypto in tests, and a status handler that silently lies when the store errors. Fix those and I'll grudgingly admit it's adequate.

😤 Reluctantly reviewed by Grumpy Code Reviewer 🔥

To install this agentic workflow, run

gh aw add amalgamated-tools/biblioteka/.github/workflows/grumpy-reviewer.md@0dff8ccb0ced8d634877b4201f25795e659dced0

a