@dollhousemcp/mcp-server
Version:
DollhouseMCP - A Model Context Protocol (MCP) server that enables dynamic AI persona management from markdown files, allowing Claude and other compatible AI assistants to activate and switch between different behavioral personas.
45 lines • 2.1 kB
TypeScript
/**
* TOTP (authenticator) enrollment HTTP routes — Phase 2 of #1780 (#1794).
*
* Provides:
* - GET /api/console/totp/status — enrollment state (no secrets)
* - POST /api/console/totp/enroll/begin — generate secret, return QR + otpauth URI
* - POST /api/console/totp/enroll/confirm — verify code, persist, return backup codes (once)
* - POST /api/console/totp/disable — verify code, clear enrollment
*
* Security model:
* - All endpoints require a valid existing console token. The caller must
* prove they already hold the token before they can enroll a second
* factor — otherwise an attacker with local port access could pre-enroll
* their own authenticator and lock the legitimate user out.
* - Enforcement happens via an always-on `createAuthMiddleware` instance
* mounted at the top of this router, independent of the global
* DOLLHOUSE_WEB_AUTH_ENABLED flag.
* - Backup codes are returned in plaintext exactly once (confirm response)
* and only their sha256 hashes are retained by the store.
* - A sliding-window rate limit throttles confirm/disable attempts on a
* per-IP basis so a bad actor with a live session can't brute-force a
* TOTP window by flooding requests.
*
* @since v2.1.0 — Issue #1794
*/
import { Router } from 'express';
import { type ConsoleTokenStore } from '../console/consoleToken.js';
/**
* Options for the TOTP routes factory.
*/
export interface TotpRoutesOptions {
store: ConsoleTokenStore;
/** Maximum code-verification attempts per window. Default: 10. */
rateLimitMax?: number;
/** Rate limit window in milliseconds. Default: 60_000 (1 minute). */
rateLimitWindowMs?: number;
}
/**
* Build the Express router exposing TOTP endpoints. The returned router
* should be mounted at `/api/console/totp`; the caller does not need to
* add additional auth middleware — this router enforces its own auth
* regardless of the global feature flag.
*/
export declare function createTotpRoutes(options: TotpRoutesOptions): Router;
//# sourceMappingURL=totpRoutes.d.ts.map