feat: support 2fa for document completion (#2063)

Adds support for 2FA when completing a document, also adds support for
using email for 2FA when no authenticator has been associated with the
account.

packages/email/template-components/template-access-auth-2fa.tsx

@@ -0,0 +1,60 @@
+import { Trans } from '@lingui/react/macro';
+
+import { Heading, Img, Section, Text } from '../components';
+
+export type TemplateAccessAuth2FAProps = {
+  documentTitle: string;
+  code: string;
+  userEmail: string;
+  userName: string;
+  expiresInMinutes: number;
+  assetBaseUrl?: string;
+};
+
+export const TemplateAccessAuth2FA = ({
+  documentTitle,
+  code,
+  userName,
+  expiresInMinutes,
+  assetBaseUrl = 'http://localhost:3002',
+}: TemplateAccessAuth2FAProps) => {
+  const getAssetUrl = (path: string) => {
+    return new URL(path, assetBaseUrl).toString();
+  };
+
+  return (
+    <div>
+      <Img src={getAssetUrl('/static/document.png')} alt="Document" className="mx-auto h-12 w-12" />
+
+      <Section className="mt-8">
+        <Heading className="text-center text-lg font-semibold text-slate-900">
+          <Trans>Verification Code Required</Trans>
+        </Heading>
+
+        <Text className="mt-2 text-center text-slate-700">
+          <Trans>
+            Hi {userName}, you need to enter a verification code to complete the document "
+            {documentTitle}".
+          </Trans>
+        </Text>
+
+        <Section className="mt-6 rounded-lg bg-slate-50 p-6 text-center">
+          <Text className="mb-2 text-sm font-medium text-slate-600">
+            <Trans>Your verification code:</Trans>
+          </Text>
+          <Text className="text-2xl font-bold tracking-wider text-slate-900">{code}</Text>
+        </Section>
+
+        <Text className="mt-4 text-center text-sm text-slate-600">
+          <Trans>This code will expire in {expiresInMinutes} minutes.</Trans>
+        </Text>
+
+        <Text className="mt-4 text-center text-sm text-slate-500">
+          <Trans>
+            If you didn't request this verification code, you can safely ignore this email.
+          </Trans>
+        </Text>
+      </Section>
+    </div>
+  );
+};

packages/email/templates/access-auth-2fa.tsx

@@ -0,0 +1,77 @@
+import { msg } from '@lingui/core/macro';
+import { useLingui } from '@lingui/react';
+
+import { Body, Container, Head, Html, Img, Preview, Section } from '../components';
+import { useBranding } from '../providers/branding';
+import { TemplateAccessAuth2FA } from '../template-components/template-access-auth-2fa';
+import { TemplateFooter } from '../template-components/template-footer';
+
+export type AccessAuth2FAEmailTemplateProps = {
+  documentTitle: string;
+  code: string;
+  userEmail: string;
+  userName: string;
+  expiresInMinutes: number;
+  assetBaseUrl?: string;
+};
+
+export const AccessAuth2FAEmailTemplate = ({
+  documentTitle,
+  code,
+  userEmail,
+  userName,
+  expiresInMinutes,
+  assetBaseUrl = 'http://localhost:3002',
+}: AccessAuth2FAEmailTemplateProps) => {
+  const { _ } = useLingui();
+
+  const branding = useBranding();
+
+  const previewText = msg`Your verification code is ${code}`;
+
+  const getAssetUrl = (path: string) => {
+    return new URL(path, assetBaseUrl).toString();
+  };
+
+  return (
+    <Html>
+      <Head />
+      <Preview>{_(previewText)}</Preview>
+
+      <Body className="mx-auto my-auto bg-white font-sans">
+        <Section>
+          <Container className="mx-auto mb-2 mt-8 max-w-xl rounded-lg border border-solid border-slate-200 p-4 backdrop-blur-sm">
+            <Section>
+              {branding.brandingEnabled && branding.brandingLogo ? (
+                <Img src={branding.brandingLogo} alt="Branding Logo" className="mb-4 h-6" />
+              ) : (
+                <Img
+                  src={getAssetUrl('/static/logo.png')}
+                  alt="Documenso Logo"
+                  className="mb-4 h-6"
+                />
+              )}
+
+              <TemplateAccessAuth2FA
+                documentTitle={documentTitle}
+                code={code}
+                userEmail={userEmail}
+                userName={userName}
+                expiresInMinutes={expiresInMinutes}
+                assetBaseUrl={assetBaseUrl}
+              />
+            </Section>
+          </Container>
+
+          <div className="mx-auto mt-12 max-w-xl" />
+
+          <Container className="mx-auto max-w-xl">
+            <TemplateFooter isDocument={false} />
+          </Container>
+        </Section>
+      </Body>
+    </Html>
+  );
+};
+
+export default AccessAuth2FAEmailTemplate;

packages/lib/errors/app-error.ts

@@ -17,6 +17,7 @@ export enum AppErrorCode {
   'RETRY_EXCEPTION' = 'RETRY_EXCEPTION',
   'SCHEMA_FAILED' = 'SCHEMA_FAILED',
   'TOO_MANY_REQUESTS' = 'TOO_MANY_REQUESTS',
+  'TWO_FACTOR_AUTH_FAILED' = 'TWO_FACTOR_AUTH_FAILED',
 }
 
 export const genericErrorCodeToTrpcErrorCodeMap: Record<string, { code: string; status: number }> =
@@ -32,6 +33,7 @@ export const genericErrorCodeToTrpcErrorCodeMap: Record<string, { code: string;
     [AppErrorCode.RETRY_EXCEPTION]: { code: 'INTERNAL_SERVER_ERROR', status: 500 },
     [AppErrorCode.SCHEMA_FAILED]: { code: 'INTERNAL_SERVER_ERROR', status: 500 },
     [AppErrorCode.TOO_MANY_REQUESTS]: { code: 'TOO_MANY_REQUESTS', status: 429 },
+    [AppErrorCode.TWO_FACTOR_AUTH_FAILED]: { code: 'UNAUTHORIZED', status: 401 },
   };
 
 export const ZAppErrorJsonSchema = z.object({

packages/lib/server-only/2fa/email/constants.ts

@@ -0,0 +1 @@
+export const TWO_FACTOR_EMAIL_EXPIRATION_MINUTES = 5;

packages/lib/server-only/2fa/email/generate-2fa-credentials-from-email.ts

@@ -0,0 +1,38 @@
+import { hmac } from '@noble/hashes/hmac';
+import { sha256 } from '@noble/hashes/sha256';
+import { createTOTPKeyURI } from 'oslo/otp';
+
+import { DOCUMENSO_ENCRYPTION_KEY } from '../../../constants/crypto';
+
+const ISSUER = 'Documenso Email 2FA';
+
+export type GenerateTwoFactorCredentialsFromEmailOptions = {
+  documentId: number;
+  email: string;
+};
+
+/**
+ * Generate an encrypted token containing a 6-digit 2FA code for email verification.
+ *
+ * @param options - The options for generating the token
+ * @returns Object containing the token and the 6-digit code
+ */
+export const generateTwoFactorCredentialsFromEmail = ({
+  documentId,
+  email,
+}: GenerateTwoFactorCredentialsFromEmailOptions) => {
+  if (!DOCUMENSO_ENCRYPTION_KEY) {
+    throw new Error('Missing DOCUMENSO_ENCRYPTION_KEY');
+  }
+
+  const identity = `email-2fa|v1|email:${email}|id:${documentId}`;
+
+  const secret = hmac(sha256, DOCUMENSO_ENCRYPTION_KEY, identity);
+
+  const uri = createTOTPKeyURI(ISSUER, email, secret);
+
+  return {
+    uri,
+    secret,
+  };
+};

packages/lib/server-only/2fa/email/generate-2fa-token-from-email.ts

@@ -0,0 +1,23 @@
+import { generateHOTP } from 'oslo/otp';
+
+import { generateTwoFactorCredentialsFromEmail } from './generate-2fa-credentials-from-email';
+
+export type GenerateTwoFactorTokenFromEmailOptions = {
+  documentId: number;
+  email: string;
+  period?: number;
+};
+
+export const generateTwoFactorTokenFromEmail = async ({
+  email,
+  documentId,
+  period = 30_000,
+}: GenerateTwoFactorTokenFromEmailOptions) => {
+  const { secret } = generateTwoFactorCredentialsFromEmail({ email, documentId });
+
+  const counter = Math.floor(Date.now() / period);
+
+  const token = await generateHOTP(secret, counter);
+
+  return token;
+};

packages/lib/server-only/2fa/email/send-2fa-token-email.ts

@@ -0,0 +1,124 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import { AccessAuth2FAEmailTemplate } from '@documenso/email/templates/access-auth-2fa';
+import { prisma } from '@documenso/prisma';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { AppError, AppErrorCode } from '../../../errors/app-error';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../../types/document-audit-logs';
+import { createDocumentAuditLogData } from '../../../utils/document-audit-logs';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import { getEmailContext } from '../../email/get-email-context';
+import { TWO_FACTOR_EMAIL_EXPIRATION_MINUTES } from './constants';
+import { generateTwoFactorTokenFromEmail } from './generate-2fa-token-from-email';
+
+export type Send2FATokenEmailOptions = {
+  token: string;
+  documentId: number;
+};
+
+export const send2FATokenEmail = async ({ token, documentId }: Send2FATokenEmailOptions) => {
+  const document = await prisma.document.findFirst({
+    where: {
+      id: documentId,
+      recipients: {
+        some: {
+          token,
+        },
+      },
+    },
+    include: {
+      recipients: {
+        where: {
+          token,
+        },
+      },
+      documentMeta: true,
+      team: {
+        select: {
+          teamEmail: true,
+          name: true,
+        },
+      },
+    },
+  });
+
+  if (!document) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Document not found',
+    });
+  }
+
+  const [recipient] = document.recipients;
+
+  if (!recipient) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Recipient not found',
+    });
+  }
+
+  const twoFactorTokenToken = await generateTwoFactorTokenFromEmail({
+    documentId,
+    email: recipient.email,
+  });
+
+  const { branding, emailLanguage, senderEmail, replyToEmail } = await getEmailContext({
+    emailType: 'RECIPIENT',
+    source: {
+      type: 'team',
+      teamId: document.teamId,
+    },
+    meta: document.documentMeta,
+  });
+
+  const i18n = await getI18nInstance(emailLanguage);
+
+  const subject = i18n._(msg`Your two-factor authentication code`);
+
+  const template = createElement(AccessAuth2FAEmailTemplate, {
+    documentTitle: document.title,
+    userName: recipient.name,
+    userEmail: recipient.email,
+    code: twoFactorTokenToken,
+    expiresInMinutes: TWO_FACTOR_EMAIL_EXPIRATION_MINUTES,
+    assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(template, { lang: emailLanguage, branding }),
+    renderEmailWithI18N(template, { lang: emailLanguage, branding, plainText: true }),
+  ]);
+
+  await prisma.$transaction(
+    async (tx) => {
+      await mailer.sendMail({
+        to: {
+          address: recipient.email,
+          name: recipient.name,
+        },
+        from: senderEmail,
+        replyTo: replyToEmail,
+        subject,
+        html,
+        text,
+      });
+
+      await tx.documentAuditLog.create({
+        data: createDocumentAuditLogData({
+          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_REQUESTED,
+          documentId: document.id,
+          data: {
+            recipientEmail: recipient.email,
+            recipientName: recipient.name,
+            recipientId: recipient.id,
+          },
+        }),
+      });
+    },
+    { timeout: 30_000 },
+  );
+};

packages/lib/server-only/2fa/email/validate-2fa-token-from-email.ts

@@ -0,0 +1,37 @@
+import { generateHOTP } from 'oslo/otp';
+
+import { generateTwoFactorCredentialsFromEmail } from './generate-2fa-credentials-from-email';
+
+export type ValidateTwoFactorTokenFromEmailOptions = {
+  documentId: number;
+  email: string;
+  code: string;
+  period?: number;
+  window?: number;
+};
+
+export const validateTwoFactorTokenFromEmail = async ({
+  documentId,
+  email,
+  code,
+  period = 30_000,
+  window = 1,
+}: ValidateTwoFactorTokenFromEmailOptions) => {
+  const { secret } = generateTwoFactorCredentialsFromEmail({ email, documentId });
+
+  let now = Date.now();
+
+  for (let i = 0; i < window; i++) {
+    const counter = Math.floor(now / period);
+
+    const hotp = await generateHOTP(secret, counter);
+
+    if (code === hotp) {
+      return true;
+    }
+
+    now -= period;
+  }
+
+  return false;
+};

packages/lib/server-only/document/complete-document-with-token.ts

@@ -18,7 +18,8 @@ import { prisma } from '@documenso/prisma';
 
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import { jobs } from '../../jobs/client';
-import type { TRecipientActionAuth } from '../../types/document-auth';
+import type { TRecipientAccessAuth, TRecipientActionAuth } from '../../types/document-auth';
+import { DocumentAuth } from '../../types/document-auth';
 import {
   ZWebhookDocumentSchema,
   mapDocumentToWebhookDocumentPayload,
@@ -26,6 +27,7 @@ import {
 import { extractDocumentAuthMethods } from '../../utils/document-auth';
 import { getIsRecipientsTurnToSign } from '../recipient/get-is-recipient-turn';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
+import { isRecipientAuthorized } from './is-recipient-authorized';
 import { sendPendingEmail } from './send-pending-email';
 
 export type CompleteDocumentWithTokenOptions = {
@@ -33,6 +35,7 @@ export type CompleteDocumentWithTokenOptions = {
   documentId: number;
   userId?: number;
   authOptions?: TRecipientActionAuth;
+  accessAuthOptions?: TRecipientAccessAuth;
   requestMetadata?: RequestMetadata;
   nextSigner?: {
     email: string;
@@ -64,6 +67,8 @@ const getDocument = async ({ token, documentId }: CompleteDocumentWithTokenOptio
 export const completeDocumentWithToken = async ({
   token,
   documentId,
+  userId,
+  accessAuthOptions,
   requestMetadata,
   nextSigner,
 }: CompleteDocumentWithTokenOptions) => {
@@ -111,24 +116,57 @@ export const completeDocumentWithToken = async ({
     throw new Error(`Recipient ${recipient.id} has unsigned fields`);
   }
 
-  // Document reauth for completing documents is currently not required.
+  // Check ACCESS AUTH 2FA validation during document completion
+  const { derivedRecipientAccessAuth } = extractDocumentAuthMethods({
+    documentAuth: document.authOptions,
+    recipientAuth: recipient.authOptions,
+  });
 
-  // const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
-  //   documentAuth: document.authOptions,
-  //   recipientAuth: recipient.authOptions,
-  // });
+  if (derivedRecipientAccessAuth.includes(DocumentAuth.TWO_FACTOR_AUTH)) {
+    if (!accessAuthOptions) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'Access authentication required',
+      });
+    }
 
-  // const isValid = await isRecipientAuthorized({
-  //   type: 'ACTION',
-  //   document: document,
-  //   recipient: recipient,
-  //   userId,
-  //   authOptions,
-  // });
+    const isValid = await isRecipientAuthorized({
+      type: 'ACCESS_2FA',
+      documentAuthOptions: document.authOptions,
+      recipient: recipient,
+      userId, // Can be undefined for non-account recipients
+      authOptions: accessAuthOptions,
+    });
 
-  // if (!isValid) {
-  //   throw new AppError(AppErrorCode.UNAUTHORIZED, 'Invalid authentication values');
-  // }
+    if (!isValid) {
+      await prisma.documentAuditLog.create({
+        data: createDocumentAuditLogData({
+          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_FAILED,
+          documentId: document.id,
+          data: {
+            recipientId: recipient.id,
+            recipientName: recipient.name,
+            recipientEmail: recipient.email,
+          },
+        }),
+      });
+
+      throw new AppError(AppErrorCode.TWO_FACTOR_AUTH_FAILED, {
+        message: 'Invalid 2FA authentication',
+      });
+    }
+
+    await prisma.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_VALIDATED,
+        documentId: document.id,
+        data: {
+          recipientId: recipient.id,
+          recipientName: recipient.name,
+          recipientEmail: recipient.email,
+        },
+      }),
+    });
+  }
 
   await prisma.$transaction(async (tx) => {
     await tx.recipient.update({

packages/lib/server-only/document/is-recipient-authorized.ts

@@ -4,6 +4,7 @@ import { match } from 'ts-pattern';
 
 import { prisma } from '@documenso/prisma';
 
+import { validateTwoFactorTokenFromEmail } from '../2fa/email/validate-2fa-token-from-email';
 import { verifyTwoFactorAuthenticationToken } from '../2fa/verify-2fa-token';
 import { verifyPassword } from '../2fa/verify-password';
 import { AppError, AppErrorCode } from '../../errors/app-error';
@@ -14,9 +15,10 @@ import { getAuthenticatorOptions } from '../../utils/authenticator';
 import { extractDocumentAuthMethods } from '../../utils/document-auth';
 
 type IsRecipientAuthorizedOptions = {
-  type: 'ACCESS' | 'ACTION';
+  // !: Probably find a better name than 'ACCESS_2FA' if requirements change.
+  type: 'ACCESS' | 'ACCESS_2FA' | 'ACTION';
   documentAuthOptions: Document['authOptions'];
-  recipient: Pick<Recipient, 'authOptions' | 'email'>;
+  recipient: Pick<Recipient, 'authOptions' | 'email' | 'documentId'>;
 
   /**
    * The ID of the user who initiated the request.
@@ -61,8 +63,11 @@ export const isRecipientAuthorized = async ({
     recipientAuth: recipient.authOptions,
   });
 
-  const authMethods: TDocumentAuth[] =
-    type === 'ACCESS' ? derivedRecipientAccessAuth : derivedRecipientActionAuth;
+  const authMethods: TDocumentAuth[] = match(type)
+    .with('ACCESS', () => derivedRecipientAccessAuth)
+    .with('ACCESS_2FA', () => derivedRecipientAccessAuth)
+    .with('ACTION', () => derivedRecipientActionAuth)
+    .exhaustive();
 
   // Early true return when auth is not required.
   if (
@@ -72,6 +77,11 @@ export const isRecipientAuthorized = async ({
     return true;
   }
 
+  // Early true return for ACCESS auth if all methods are 2FA since validation happens in ACCESS_2FA.
+  if (type === 'ACCESS' && authMethods.every((method) => method === DocumentAuth.TWO_FACTOR_AUTH)) {
+    return true;
+  }
+
   // Create auth options when none are passed for account.
   if (!authOptions && authMethods.some((method) => method === DocumentAuth.ACCOUNT)) {
     authOptions = {
@@ -80,12 +90,16 @@ export const isRecipientAuthorized = async ({
   }
 
   // Authentication required does not match provided method.
-  if (!authOptions || !authMethods.includes(authOptions.type) || !userId) {
+  if (!authOptions || !authMethods.includes(authOptions.type)) {
     return false;
   }
 
   return await match(authOptions)
     .with({ type: DocumentAuth.ACCOUNT }, async () => {
+      if (!userId) {
+        return false;
+      }
+
       const recipientUser = await getUserByEmail(recipient.email);
 
       if (!recipientUser) {
@@ -95,13 +109,40 @@ export const isRecipientAuthorized = async ({
       return recipientUser.id === userId;
     })
     .with({ type: DocumentAuth.PASSKEY }, async ({ authenticationResponse, tokenReference }) => {
+      if (!userId) {
+        return false;
+      }
+
       return await isPasskeyAuthValid({
         userId,
         authenticationResponse,
         tokenReference,
       });
     })
-    .with({ type: DocumentAuth.TWO_FACTOR_AUTH }, async ({ token }) => {
+    .with({ type: DocumentAuth.TWO_FACTOR_AUTH }, async ({ token, method }) => {
+      if (type === 'ACCESS') {
+        return true;
+      }
+
+      if (type === 'ACCESS_2FA' && method === 'email') {
+        if (!recipient.documentId) {
+          throw new AppError(AppErrorCode.NOT_FOUND, {
+            message: 'Document ID is required for email 2FA verification',
+          });
+        }
+
+        return await validateTwoFactorTokenFromEmail({
+          documentId: recipient.documentId,
+          email: recipient.email,
+          code: token,
+          window: 10, // 5 minutes worth of tokens
+        });
+      }
+
+      if (!userId) {
+        return false;
+      }
+
       const user = await prisma.user.findFirst({
         where: {
           id: userId,
@@ -115,6 +156,7 @@ export const isRecipientAuthorized = async ({
         });
       }
 
+      // For ACTION auth or authenticator method, use TOTP
       return await verifyTwoFactorAuthenticationToken({
         user,
         totpCode: token,
@@ -122,6 +164,10 @@ export const isRecipientAuthorized = async ({
       });
     })
     .with({ type: DocumentAuth.PASSWORD }, async ({ password }) => {
+      if (!userId) {
+        return false;
+      }
+
       return await verifyPassword({
         userId,
         password,

packages/lib/server-only/document/validate-field-auth.ts

@@ -7,7 +7,7 @@ import { isRecipientAuthorized } from './is-recipient-authorized';
 
 export type ValidateFieldAuthOptions = {
   documentAuthOptions: Document['authOptions'];
-  recipient: Pick<Recipient, 'authOptions' | 'email'>;
+  recipient: Pick<Recipient, 'authOptions' | 'email' | 'documentId'>;
   field: Field;
   userId?: number;
   authOptions?: TRecipientActionAuth;

packages/lib/server-only/template/create-document-from-direct-template.ts

@@ -159,6 +159,7 @@ export const createDocumentFromDirectTemplate = async ({
   // Ensure typesafety when we add more options.
   const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
     .with(DocumentAccessAuth.ACCOUNT, () => user && user?.email === directRecipientEmail)
+    .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => false) // Not supported for direct templates
     .with(undefined, () => true)
     .exhaustive();
 
@@ -205,6 +206,7 @@ export const createDocumentFromDirectTemplate = async ({
         recipient: {
           authOptions: directTemplateRecipient.authOptions,
           email: directRecipientEmail,
+          documentId: template.id,
         },
         field: templateField,
         userId: user?.id,

packages/lib/types/document-audit-logs.ts

@@ -40,6 +40,11 @@ export const ZDocumentAuditLogTypeSchema = z.enum([
   'DOCUMENT_TITLE_UPDATED', // When the document title is updated.
   'DOCUMENT_EXTERNAL_ID_UPDATED', // When the document external ID is updated.
   'DOCUMENT_MOVED_TO_TEAM', // When the document is moved to a team.
+
+  // ACCESS AUTH 2FA events.
+  'DOCUMENT_ACCESS_AUTH_2FA_REQUESTED', // When ACCESS AUTH 2FA is requested.
+  'DOCUMENT_ACCESS_AUTH_2FA_VALIDATED', // When ACCESS AUTH 2FA is successfully validated.
+  'DOCUMENT_ACCESS_AUTH_2FA_FAILED', // When ACCESS AUTH 2FA validation fails.
 ]);
 
 export const ZDocumentAuditLogEmailTypeSchema = z.enum([
@@ -487,6 +492,42 @@ export const ZDocumentAuditLogEventDocumentRecipientRejectedSchema = z.object({
   }),
 });
 
+/**
+ * Event: Document recipient requested a 2FA token.
+ */
+export const ZDocumentAuditLogEventDocumentRecipientRequested2FAEmailSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_REQUESTED),
+  data: z.object({
+    recipientEmail: z.string(),
+    recipientName: z.string(),
+    recipientId: z.number(),
+  }),
+});
+
+/**
+ * Event: Document recipient validated a 2FA token.
+ */
+export const ZDocumentAuditLogEventDocumentRecipientValidated2FAEmailSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_VALIDATED),
+  data: z.object({
+    recipientEmail: z.string(),
+    recipientName: z.string(),
+    recipientId: z.number(),
+  }),
+});
+
+/**
+ * Event: Document recipient failed to validate a 2FA token.
+ */
+export const ZDocumentAuditLogEventDocumentRecipientFailed2FAEmailSchema = z.object({
+  type: z.literal(DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_FAILED),
+  data: z.object({
+    recipientEmail: z.string(),
+    recipientName: z.string(),
+    recipientId: z.number(),
+  }),
+});
+
 /**
  * Event: Document sent.
  */
@@ -627,6 +668,9 @@ export const ZDocumentAuditLogSchema = ZDocumentAuditLogBaseSchema.and(
     ZDocumentAuditLogEventDocumentViewedSchema,
     ZDocumentAuditLogEventDocumentRecipientCompleteSchema,
     ZDocumentAuditLogEventDocumentRecipientRejectedSchema,
+    ZDocumentAuditLogEventDocumentRecipientRequested2FAEmailSchema,
+    ZDocumentAuditLogEventDocumentRecipientValidated2FAEmailSchema,
+    ZDocumentAuditLogEventDocumentRecipientFailed2FAEmailSchema,
     ZDocumentAuditLogEventDocumentSentSchema,
     ZDocumentAuditLogEventDocumentTitleUpdatedSchema,
     ZDocumentAuditLogEventDocumentExternalIdUpdatedSchema,

packages/lib/types/document-auth.ts

@@ -37,6 +37,7 @@ const ZDocumentAuthPasswordSchema = z.object({
 const ZDocumentAuth2FASchema = z.object({
   type: z.literal(DocumentAuth.TWO_FACTOR_AUTH),
   token: z.string().min(4).max(10),
+  method: z.enum(['email', 'authenticator']).default('authenticator').optional(),
 });
 
 /**
@@ -55,9 +56,12 @@ export const ZDocumentAuthMethodsSchema = z.discriminatedUnion('type', [
  *
  * Must keep these two in sync.
  */
-export const ZDocumentAccessAuthSchema = z.discriminatedUnion('type', [ZDocumentAuthAccountSchema]);
+export const ZDocumentAccessAuthSchema = z.discriminatedUnion('type', [
+  ZDocumentAuthAccountSchema,
+  ZDocumentAuth2FASchema,
+]);
 export const ZDocumentAccessAuthTypesSchema = z
-  .enum([DocumentAuth.ACCOUNT])
+  .enum([DocumentAuth.ACCOUNT, DocumentAuth.TWO_FACTOR_AUTH])
   .describe('The type of authentication required for the recipient to access the document.');
 
 /**
@@ -89,9 +93,10 @@ export const ZDocumentActionAuthTypesSchema = z
  */
 export const ZRecipientAccessAuthSchema = z.discriminatedUnion('type', [
   ZDocumentAuthAccountSchema,
+  ZDocumentAuth2FASchema,
 ]);
 export const ZRecipientAccessAuthTypesSchema = z
-  .enum([DocumentAuth.ACCOUNT])
+  .enum([DocumentAuth.ACCOUNT, DocumentAuth.TWO_FACTOR_AUTH])
   .describe('The type of authentication required for the recipient to access the document.');
 
 /**

packages/lib/utils/document-audit-logs.ts

@@ -476,6 +476,36 @@ export const formatDocumentAuditLogAction = (
         identified: result,
       };
     })
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_REQUESTED }, ({ data }) => {
+      const userName = prefix || _(msg`Recipient`);
+
+      const result = msg`${userName} requested a 2FA token for the document`;
+
+      return {
+        anonymous: result,
+        identified: result,
+      };
+    })
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_VALIDATED }, ({ data }) => {
+      const userName = prefix || _(msg`Recipient`);
+
+      const result = msg`${userName} validated a 2FA token for the document`;
+
+      return {
+        anonymous: result,
+        identified: result,
+      };
+    })
+    .with({ type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_FAILED }, ({ data }) => {
+      const userName = prefix || _(msg`Recipient`);
+
+      const result = msg`${userName} failed to validate a 2FA token for the document`;
+
+      return {
+        anonymous: result,
+        identified: result,
+      };
+    })
     .with({ type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT }, ({ data }) => ({
       anonymous: data.isResending ? msg`Email resent` : msg`Email sent`,
       identified: data.isResending

packages/trpc/server/document-router/access-auth-request-2fa-email.ts

@@ -0,0 +1,94 @@
+import { TRPCError } from '@trpc/server';
+import { DateTime } from 'luxon';
+
+import { TWO_FACTOR_EMAIL_EXPIRATION_MINUTES } from '@documenso/lib/server-only/2fa/email/constants';
+import { send2FATokenEmail } from '@documenso/lib/server-only/2fa/email/send-2fa-token-email';
+import { DocumentAuth } from '@documenso/lib/types/document-auth';
+import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
+import { prisma } from '@documenso/prisma';
+
+import { procedure } from '../trpc';
+import {
+  ZAccessAuthRequest2FAEmailRequestSchema,
+  ZAccessAuthRequest2FAEmailResponseSchema,
+} from './access-auth-request-2fa-email.types';
+
+export const accessAuthRequest2FAEmailRoute = procedure
+  .input(ZAccessAuthRequest2FAEmailRequestSchema)
+  .output(ZAccessAuthRequest2FAEmailResponseSchema)
+  .mutation(async ({ input, ctx }) => {
+    try {
+      const { token } = input;
+
+      const user = ctx.user;
+
+      // Get document and recipient by token
+      const document = await prisma.document.findFirst({
+        where: {
+          recipients: {
+            some: {
+              token,
+            },
+          },
+        },
+        include: {
+          recipients: {
+            where: {
+              token,
+            },
+          },
+        },
+      });
+
+      if (!document) {
+        throw new TRPCError({
+          code: 'NOT_FOUND',
+          message: 'Document not found',
+        });
+      }
+
+      const [recipient] = document.recipients;
+
+      const { derivedRecipientAccessAuth } = extractDocumentAuthMethods({
+        documentAuth: document.authOptions,
+        recipientAuth: recipient.authOptions,
+      });
+
+      if (!derivedRecipientAccessAuth.includes(DocumentAuth.TWO_FACTOR_AUTH)) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: '2FA is not required for this document',
+        });
+      }
+
+      // if (user && recipient.email !== user.email) {
+      //   throw new TRPCError({
+      //     code: 'UNAUTHORIZED',
+      //     message: 'User does not match recipient',
+      //   });
+      // }
+
+      const expiresAt = DateTime.now().plus({ minutes: TWO_FACTOR_EMAIL_EXPIRATION_MINUTES });
+
+      await send2FATokenEmail({
+        token,
+        documentId: document.id,
+      });
+
+      return {
+        success: true,
+        expiresAt: expiresAt.toJSDate(),
+      };
+    } catch (error) {
+      console.error('Error sending access auth 2FA email:', error);
+
+      if (error instanceof TRPCError) {
+        throw error;
+      }
+
+      throw new TRPCError({
+        code: 'INTERNAL_SERVER_ERROR',
+        message: 'Failed to send 2FA email',
+      });
+    }
+  });

packages/trpc/server/document-router/access-auth-request-2fa-email.types.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+
+export const ZAccessAuthRequest2FAEmailRequestSchema = z.object({
+  token: z.string().min(1),
+});
+
+export const ZAccessAuthRequest2FAEmailResponseSchema = z.object({
+  success: z.boolean(),
+  expiresAt: z.date(),
+});
+
+export type TAccessAuthRequest2FAEmailRequest = z.infer<
+  typeof ZAccessAuthRequest2FAEmailRequestSchema
+>;
+export type TAccessAuthRequest2FAEmailResponse = z.infer<
+  typeof ZAccessAuthRequest2FAEmailResponseSchema
+>;

packages/trpc/server/document-router/router.ts

@@ -1,4 +1,5 @@
 import { router } from '../trpc';
+import { accessAuthRequest2FAEmailRoute } from './access-auth-request-2fa-email';
 import { createDocumentRoute } from './create-document';
 import { createDocumentTemporaryRoute } from './create-document-temporary';
 import { deleteDocumentRoute } from './delete-document';
@@ -38,6 +39,10 @@ export const documentRouter = router({
   getDocumentByToken: getDocumentByTokenRoute,
   findDocumentsInternal: findDocumentsInternalRoute,
 
+  accessAuth: router({
+    request2FAEmail: accessAuthRequest2FAEmailRoute,
+  }),
+
   auditLog: {
     find: findDocumentAuditLogsRoute,
     download: downloadDocumentAuditLogsRoute,

packages/trpc/server/recipient-router/router.ts

@@ -525,7 +525,7 @@ export const recipientRouter = router({
   completeDocumentWithToken: procedure
     .input(ZCompleteDocumentWithTokenMutationSchema)
     .mutation(async ({ input, ctx }) => {
-      const { token, documentId, authOptions, nextSigner } = input;
+      const { token, documentId, authOptions, accessAuthOptions, nextSigner } = input;
 
       ctx.logger.info({
         input: {
@@ -537,6 +537,7 @@ export const recipientRouter = router({
         token,
         documentId,
         authOptions,
+        accessAuthOptions,
         nextSigner,
         userId: ctx.user?.id,
         requestMetadata: ctx.metadata.requestMetadata,

packages/trpc/server/recipient-router/schema.ts

@@ -3,6 +3,7 @@ import { z } from 'zod';
 
 import { isTemplateRecipientEmailPlaceholder } from '@documenso/lib/constants/template';
 import {
+  ZRecipientAccessAuthSchema,
   ZRecipientAccessAuthTypesSchema,
   ZRecipientActionAuthSchema,
   ZRecipientActionAuthTypesSchema,
@@ -164,6 +165,7 @@ export const ZCompleteDocumentWithTokenMutationSchema = z.object({
   token: z.string(),
   documentId: z.number(),
   authOptions: ZRecipientActionAuthSchema.optional(),
+  accessAuthOptions: ZRecipientAccessAuthSchema.optional(),
   nextSigner: z
     .object({
       email: z.string().email().max(254),