feat: add 2FA document auth

packages/lib/constants/document-auth.ts

@@ -24,6 +24,10 @@ export const DOCUMENT_AUTH_TYPES: Record<string, DocumentAuthTypeData> = {
     key: DocumentAuth.PASSKEY,
     value: 'Require passkey',
   },
+  [DocumentAuth['2FA']]: {
+    key: DocumentAuth['2FA'],
+    value: 'Require 2FA',
+  },
   [DocumentAuth.EXPLICIT_NONE]: {
     key: DocumentAuth.EXPLICIT_NONE,
     value: 'None (Overrides global settings)',

packages/lib/server-only/document/is-recipient-authorized.ts

@@ -4,6 +4,7 @@ import { match } from 'ts-pattern';
 import { prisma } from '@documenso/prisma';
 import type { Document, Recipient } from '@documenso/prisma/client';
 
+import { verifyTwoFactorAuthenticationToken } from '../2fa/verify-2fa-token';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAuth, TDocumentAuthMethods } from '../../types/document-auth';
 import { DocumentAuth } from '../../types/document-auth';
@@ -104,6 +105,27 @@ export const isRecipientAuthorized = async ({
         tokenReference,
       });
     })
+    .with({ type: DocumentAuth['2FA'] }, async ({ token }) => {
+      if (!userId) {
+        return false;
+      }
+
+      const user = await prisma.user.findFirst({
+        where: {
+          id: userId,
+        },
+      });
+
+      // Should not be possible.
+      if (!user) {
+        throw new AppError(AppErrorCode.NOT_FOUND, 'User not found');
+      }
+
+      return await verifyTwoFactorAuthenticationToken({
+        user,
+        totpCode: token,
+      });
+    })
     .exhaustive();
 };
 

packages/lib/types/document-auth.ts

@@ -5,7 +5,7 @@ import { ZAuthenticationResponseJSONSchema } from './webauthn';
 /**
  * All the available types of document authentication options for both access and action.
  */
-export const ZDocumentAuthTypesSchema = z.enum(['ACCOUNT', 'PASSKEY', 'EXPLICIT_NONE']);
+export const ZDocumentAuthTypesSchema = z.enum(['ACCOUNT', 'PASSKEY', '2FA', 'EXPLICIT_NONE']);
 export const DocumentAuth = ZDocumentAuthTypesSchema.Enum;
 
 const ZDocumentAuthAccountSchema = z.object({
@@ -22,6 +22,11 @@ const ZDocumentAuthPasskeySchema = z.object({
   tokenReference: z.string().min(1),
 });
 
+const ZDocumentAuth2FASchema = z.object({
+  type: z.literal(DocumentAuth['2FA']),
+  token: z.string().min(4).max(10),
+});
+
 /**
  * All the document auth methods for both accessing and actioning.
  */
@@ -29,6 +34,7 @@ export const ZDocumentAuthMethodsSchema = z.discriminatedUnion('type', [
   ZDocumentAuthAccountSchema,
   ZDocumentAuthExplicitNoneSchema,
   ZDocumentAuthPasskeySchema,
+  ZDocumentAuth2FASchema,
 ]);
 
 /**
@@ -47,8 +53,13 @@ export const ZDocumentAccessAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
 export const ZDocumentActionAuthSchema = z.discriminatedUnion('type', [
   ZDocumentAuthAccountSchema,
   ZDocumentAuthPasskeySchema,
+  ZDocumentAuth2FASchema,
+]);
+export const ZDocumentActionAuthTypesSchema = z.enum([
+  DocumentAuth.ACCOUNT,
+  DocumentAuth.PASSKEY,
+  DocumentAuth['2FA'],
 ]);
-export const ZDocumentActionAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT, DocumentAuth.PASSKEY]);
 
 /**
  * The recipient access auth methods.
@@ -68,11 +79,13 @@ export const ZRecipientAccessAuthTypesSchema = z.enum([DocumentAuth.ACCOUNT]);
 export const ZRecipientActionAuthSchema = z.discriminatedUnion('type', [
   ZDocumentAuthAccountSchema,
   ZDocumentAuthPasskeySchema,
+  ZDocumentAuth2FASchema,
   ZDocumentAuthExplicitNoneSchema,
 ]);
 export const ZRecipientActionAuthTypesSchema = z.enum([
   DocumentAuth.ACCOUNT,
   DocumentAuth.PASSKEY,
+  DocumentAuth['2FA'],
   DocumentAuth.EXPLICIT_NONE,
 ]);