generated from coulomb/repo-seed
- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer - T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape 21 adapter tests pass, vet clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
24 lines
827 B
Go
24 lines
827 B
Go
package domain
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
)
|
|
|
|
// MFAProvider checks MFA requirements and validates MFA tokens.
|
|
// KeyCape must NOT implement MFA logic — it delegates entirely to this interface.
|
|
type MFAProvider interface {
|
|
// CheckMFARequired returns true if MFA is required for the given user.
|
|
CheckMFARequired(ctx context.Context, userID string) (bool, error)
|
|
|
|
// ValidateMFAToken validates the given OTP token for the user.
|
|
// Returns ErrMFAFailed if the token is invalid or expired.
|
|
ValidateMFAToken(ctx context.Context, userID, token string) error
|
|
}
|
|
|
|
// ErrMFAFailed is returned when the MFA token is invalid or expired.
|
|
var ErrMFAFailed = errors.New("mfa validation failed")
|
|
|
|
// ErrMFANotEnrolled is returned when the user has no MFA enrollment.
|
|
var ErrMFANotEnrolled = errors.New("user has no MFA enrollment")
|