Skip to content

Merge latest main and add phased auth roadmap#144

Draft
Copilot wants to merge 7 commits into
mainfrom
copilot/implement-security-audit-recommendations
Draft

Merge latest main and add phased auth roadmap#144
Copilot wants to merge 7 commits into
mainfrom
copilot/implement-security-audit-recommendations

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 23, 2026
edited
Loading

This syncs the branch with the latest main and resolves the resulting route-registry conflict. It also adds a repo-specific auth roadmap that reflects Ottabase’s current auth surface and the highest-value next steps for a production SaaS framework.

  • Merge sync

    • Merged latest origin/main into this branch
    • Resolved the conflict in apps/ottabase-template-app-tanstack/worker/routes/router.ts
    • Preserved both:
      • the existing account-security route wiring from this branch
      • the newer blog/category/series route wiring introduced on main

  • Auth roadmap

    • Added ROADMAP_AUTH.MD at the repo root
    • Frames auth work around Ottabase’s actual architecture:
      • @ottabase/auth as the reusable core
      • app layer as thin product/UI glue
    • Organizes next work into clear phases:
      • hardening current auth flows
      • completing account security UX
      • making passkeys first-class in sign-in
      • organization-aware policy controls
      • package/docs polish

  • Priority direction captured in the roadmap

    • Encrypt MFA secrets at rest
    • Add recovery codes
    • Add step-up auth for sensitive actions
    • Add session/device visibility and revocation
    • Make passkey-first login a first-class path
    • Support safe email change and provider linking
    • Expand auth/security audit coverage
## Recommended Priority Order

1. Encrypt TOTP secrets at rest
2. Recovery codes
3. Step-up auth for sensitive actions
4. Session/device management
5. Passkey-first login button and autofill UX
6. Email change flow
7. Auth audit event expansion
8. Provider linking/unlinking

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

Copilot AI and others added 4 commits March 23, 2026 18:56
@thinkdj
feat: add backend for password change, TOTP 2FA, and passkey management
a209632 
- Add totpSecret/totpEnabled columns to User schema
- Create edge-compatible TOTP utility (Web Crypto HMAC-SHA1)
- Add backend routes: password/change, totp/setup, totp/enable, totp/disable
- Add passkeys routes: list, register-options, register-verify, delete
- Add credentials/preflight endpoint for TOTP-aware login
- Modify credentials authorize to verify TOTP codes
- Update client API with all new functions
- Wire routes in router.ts

Co-authored-by: thinkdj <688055+thinkdj@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thinkdj/ottabase/sessions/f26604b8-2585-4e32-8a0f-dabeed136fd3
@thinkdj
feat: add frontend UI for password change, TOTP 2FA, and passkey mana…
98def1a 
…gement

- Add ChangePasswordDialog with validation and password strength rules
- Add TotpSetupDialog with inline QR code generation (no external deps)
- Add PasskeyManager for WebAuthn enrollment and deletion
- Update UserProfilePage security card with working controls
- Update LoginPage with TOTP verification dialog
- Update signInWithCredentials to accept TOTP codes
- Add preflight credentials check for TOTP-aware login flow

Co-authored-by: thinkdj <688055+thinkdj@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thinkdj/ottabase/sessions/f26604b8-2585-4e32-8a0f-dabeed136fd3
@thinkdj
feat: add TOTP tests and fix TypeScript build error in auth package
0bba394 
- Add 19 TOTP utility tests (base32, secret generation, code verification)
- Fix TypeScript Uint8Array buffer type compatibility in backend-handler.ts
- All packages build successfully, all 111 tests pass

Co-authored-by: thinkdj <688055+thinkdj@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thinkdj/ottabase/sessions/f26604b8-2585-4e32-8a0f-dabeed136fd3
@thinkdj
fix: address code review feedback
2642263 
- Add JSDoc to defaultCredentialsAuthorize documenting TOTP support
- Add security comment about totp_secret being server-side only
- Allow both platform and cross-platform authenticators for passkeys
- Remove unused hasPassword state from UserProfilePage
- Fix test assertion for incorrect TOTP code rejection

Co-authored-by: thinkdj <688055+thinkdj@users.noreply.github.com>
Agent-Logs-Url: https://github.com/thinkdj/ottabase/sessions/f26604b8-2585-4e32-8a0f-dabeed136fd3
Copilot AI changed the title [WIP] Implement security audit recommendations for 2FA and password management feat: end-to-end password change, TOTP 2FA, and WebAuthn passkeys Mar 23, 2026
Copilot AI requested a review from thinkdj March 23, 2026 19:18
Copilot AI changed the title feat: end-to-end password change, TOTP 2FA, and WebAuthn passkeys Merge latest main and add phased auth roadmap Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thinkdj thinkdj Awaiting requested review from thinkdj thinkdj is a code owner

Assignees

@thinkdj thinkdj

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thinkdj