Files
key-cape/src/internal/domain/mfa.go
tegwick d05c73dc19 feat: implement T11, T12 — Authelia adapter, privacyIDEA adapter
- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer
- T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape

21 adapter tests pass, vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-13 01:50:31 +01:00

24 lines
827 B
Go

package domain
import (
"context"
"errors"
)
// MFAProvider checks MFA requirements and validates MFA tokens.
// KeyCape must NOT implement MFA logic — it delegates entirely to this interface.
type MFAProvider interface {
// CheckMFARequired returns true if MFA is required for the given user.
CheckMFARequired(ctx context.Context, userID string) (bool, error)
// ValidateMFAToken validates the given OTP token for the user.
// Returns ErrMFAFailed if the token is invalid or expired.
ValidateMFAToken(ctx context.Context, userID, token string) error
}
// ErrMFAFailed is returned when the MFA token is invalid or expired.
var ErrMFAFailed = errors.New("mfa validation failed")
// ErrMFANotEnrolled is returned when the user has no MFA enrollment.
var ErrMFANotEnrolled = errors.New("user has no MFA enrollment")