Implement Phase 2: Refresh tokens, 2FA, password reset, and audit logging

Co-authored-by: mblanke <9078342+mblanke@users.noreply.github.com>
2026-03-01 14:00:20 -05:00 · 2025-12-09 17:30:12 +00:00
parent ddf287cde7
commit c8c0c762c5
15 changed files with 716 additions and 9 deletions
--- a/backend/app/core/security.py
+++ b/backend/app/core/security.py
@@ -1,5 +1,7 @@
 from datetime import datetime, timedelta, timezone
 from typing import Optional
+import secrets
+import pyotp
 from jose import JWTError, jwt
 from passlib.context import CryptContext

@@ -56,3 +58,63 @@ def verify_token(token: str) -> Optional[dict]:
        return payload
    except JWTError:
        return None
+
+
+def create_refresh_token() -> str:
+    """
+    Create a secure random refresh token
+    
+    Returns:
+        Random token string
+    """
+    return secrets.token_urlsafe(32)
+
+
+def create_reset_token() -> str:
+    """
+    Create a secure random password reset token
+    
+    Returns:
+        Random token string
+    """
+    return secrets.token_urlsafe(32)
+
+
+def generate_totp_secret() -> str:
+    """
+    Generate a TOTP secret for 2FA
+    
+    Returns:
+        Base32 encoded secret
+    """
+    return pyotp.random_base32()
+
+
+def verify_totp(secret: str, code: str) -> bool:
+    """
+    Verify a TOTP code
+    
+    Args:
+        secret: TOTP secret
+        code: 6-digit code from authenticator app
+    
+    Returns:
+        True if code is valid
+    """
+    totp = pyotp.TOTP(secret)
+    return totp.verify(code, valid_window=1)
+
+
+def get_totp_uri(secret: str, username: str) -> str:
+    """
+    Get TOTP provisioning URI for QR code
+    
+    Args:
+        secret: TOTP secret
+        username: User's username
+    
+    Returns:
+        otpauth:// URI
+    """
+    totp = pyotp.TOTP(secret)
+    return totp.provisioning_uri(name=username, issuer_name="VelociCompanion")