generated from coulomb/repo-seed
feat: implement T11, T12 — Authelia adapter, privacyIDEA adapter
- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer - T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape 21 adapter tests pass, vet clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
23
src/internal/domain/mfa.go
Normal file
23
src/internal/domain/mfa.go
Normal file
@@ -0,0 +1,23 @@
|
||||
package domain
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
)
|
||||
|
||||
// MFAProvider checks MFA requirements and validates MFA tokens.
|
||||
// KeyCape must NOT implement MFA logic — it delegates entirely to this interface.
|
||||
type MFAProvider interface {
|
||||
// CheckMFARequired returns true if MFA is required for the given user.
|
||||
CheckMFARequired(ctx context.Context, userID string) (bool, error)
|
||||
|
||||
// ValidateMFAToken validates the given OTP token for the user.
|
||||
// Returns ErrMFAFailed if the token is invalid or expired.
|
||||
ValidateMFAToken(ctx context.Context, userID, token string) error
|
||||
}
|
||||
|
||||
// ErrMFAFailed is returned when the MFA token is invalid or expired.
|
||||
var ErrMFAFailed = errors.New("mfa validation failed")
|
||||
|
||||
// ErrMFANotEnrolled is returned when the user has no MFA enrollment.
|
||||
var ErrMFANotEnrolled = errors.New("user has no MFA enrollment")
|
||||
Reference in New Issue
Block a user