@rebasepro/server-postgresql 0.2.3 → 0.2.5

package/src/auth/services.ts

@@ -1,11 +1,12 @@
 import { eq, getTableName, sql } from "drizzle-orm";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import { getTableConfig, PgTable, AnyPgColumn } from "drizzle-orm/pg-core";
-import { users, roles, userRoles, refreshTokens, passwordResetTokens, userIdentities } from "../schema/auth-schema";
+import { users, refreshTokens, passwordResetTokens, userIdentities } from "../schema/auth-schema";
 import {
     UserRepository,
     RoleRepository,
     TokenRepository,
+    MfaRepository,
     AuthRepository,
     UserData,
     CreateUserData,
@@ -16,6 +17,8 @@ import {
     UserIdentityData,
     ListUsersOptions,
     PaginatedUsersResult,
+    MfaFactor,
+    MfaChallengeInfo,
     RoleData as Role
 // @ts-ignore
 } from "@rebasepro/server-core";
@@ -25,8 +28,6 @@ export type { Role };
 
 export interface AuthSchemaTables {
     users: PgTable & Record<string, AnyPgColumn>;
-    roles: PgTable & Record<string, AnyPgColumn>;
-    userRoles: PgTable & Record<string, AnyPgColumn>;
     refreshTokens: PgTable & Record<string, AnyPgColumn>;
     passwordResetTokens: PgTable & Record<string, AnyPgColumn>;
     appConfig: PgTable & Record<string, AnyPgColumn>;
@@ -58,25 +59,19 @@ function getColumn(table: (PgTable & Record<string, AnyPgColumn>) | undefined, .
 export class UserService implements UserRepository {
     private usersTable: PgTable & Record<string, AnyPgColumn>;
     private userIdentitiesTable: PgTable & Record<string, AnyPgColumn>;
-    private userRolesTable: PgTable & Record<string, AnyPgColumn>;
-    private rolesTable: PgTable & Record<string, AnyPgColumn>;
 
     constructor(
         private db: NodePgDatabase,
         tableOrTables?: (PgTable & Record<string, AnyPgColumn>) | Partial<AuthSchemaTables>
     ) {
-        if (tableOrTables && ((tableOrTables as Partial<AuthSchemaTables>).users || (tableOrTables as Partial<AuthSchemaTables>).roles)) {
+        if (tableOrTables && ((tableOrTables as Partial<AuthSchemaTables>).users)) {
             const tables = tableOrTables as Partial<AuthSchemaTables>;
             this.usersTable = (tables.users || users) as unknown as PgTable & Record<string, AnyPgColumn>;
             this.userIdentitiesTable = (tables.userIdentities || userIdentities) as unknown as PgTable & Record<string, AnyPgColumn>;
-            this.userRolesTable = (tables.userRoles || userRoles) as unknown as PgTable & Record<string, AnyPgColumn>;
-            this.rolesTable = (tables.roles || roles) as unknown as PgTable & Record<string, AnyPgColumn>;
         } else {
             const table = tableOrTables as (PgTable & Record<string, AnyPgColumn>) | undefined;
             this.usersTable = table || (users as unknown as PgTable & Record<string, AnyPgColumn>);
             this.userIdentitiesTable = userIdentities as unknown as PgTable & Record<string, AnyPgColumn>;
-            this.userRolesTable = userRoles as unknown as PgTable & Record<string, AnyPgColumn>;
-            this.rolesTable = roles as unknown as PgTable & Record<string, AnyPgColumn>;
         }
     }
 
@@ -97,6 +92,7 @@ export class UserService implements UserRepository {
         const emailVerified = (row.email_verified ?? row.emailVerified ?? false) as boolean;
         const emailVerificationToken = (row.email_verification_token ?? row.emailVerificationToken ?? null) as string | null | undefined;
         const emailVerificationSentAt = (row.email_verification_sent_at ?? row.emailVerificationSentAt ?? null) as string | number | Date | null;
+        const isAnonymous = (row.is_anonymous ?? row.isAnonymous ?? false) as boolean;
         const createdAt = (row.created_at ?? row.createdAt) as string | number | Date | undefined;
         const updatedAt = (row.updated_at ?? row.updatedAt) as string | number | Date | undefined;
 
@@ -110,6 +106,8 @@ export class UserService implements UserRepository {
             "email_verified", "emailVerified",
             "email_verification_token", "emailVerificationToken",
             "email_verification_sent_at", "emailVerificationSentAt",
+            "is_anonymous", "isAnonymous",
+            "roles",
             "created_at", "createdAt",
             "updated_at", "updatedAt",
             "metadata"
@@ -131,6 +129,7 @@ export class UserService implements UserRepository {
             emailVerified,
             emailVerificationToken,
             emailVerificationSentAt: emailVerificationSentAt ? new Date(emailVerificationSentAt) : null,
+            isAnonymous,
             createdAt: createdAt ? new Date(createdAt) : new Date(),
             updatedAt: updatedAt ? new Date(updatedAt) : new Date(),
             metadata
@@ -150,6 +149,7 @@ export class UserService implements UserRepository {
         const emailVerifiedKey = getColumnKey(this.usersTable, "emailVerified", "email_verified") || "emailVerified";
         const emailVerificationTokenKey = getColumnKey(this.usersTable, "emailVerificationToken", "email_verification_token") || "emailVerificationToken";
         const emailVerificationSentAtKey = getColumnKey(this.usersTable, "emailVerificationSentAt", "email_verification_sent_at") || "emailVerificationSentAt";
+        const isAnonymousKey = getColumnKey(this.usersTable, "isAnonymous", "is_anonymous") || "isAnonymous";
         const createdAtKey = getColumnKey(this.usersTable, "createdAt", "created_at") || "createdAt";
         const updatedAtKey = getColumnKey(this.usersTable, "updatedAt", "updated_at") || "updatedAt";
         const metadataKey = getColumnKey(this.usersTable, "metadata") || "metadata";
@@ -162,6 +162,7 @@ export class UserService implements UserRepository {
         if ("emailVerified" in data) payload[emailVerifiedKey] = data.emailVerified;
         if ("emailVerificationToken" in data) payload[emailVerificationTokenKey] = data.emailVerificationToken;
         if ("emailVerificationSentAt" in data) payload[emailVerificationSentAtKey] = data.emailVerificationSentAt;
+        if ("isAnonymous" in data) payload[isAnonymousKey] = data.isAnonymous;
         if ("createdAt" in data) payload[createdAtKey] = data.createdAt;
         if ("updatedAt" in data) payload[updatedAtKey] = data.updatedAt;
 
@@ -179,6 +180,7 @@ export class UserService implements UserRepository {
                 tableColKey !== emailVerifiedKey && 
                 tableColKey !== emailVerificationTokenKey && 
                 tableColKey !== emailVerificationSentAtKey && 
+                tableColKey !== isAnonymousKey &&
                 tableColKey !== createdAtKey && 
                 tableColKey !== updatedAtKey && 
                 tableColKey !== metadataKey) {
@@ -306,11 +308,9 @@ export class UserService implements UserRepository {
         const idColumn = idCol ? idCol.name : "id";
 
         const usersTableName = this.getQualifiedUsersTableName();
-        const rolesSchema = getTableConfig(this.userRolesTable).schema || "public";
-
         const conditions = [];
         if (roleId) {
-            conditions.push(sql`EXISTS (SELECT 1 FROM ${sql.raw(`"${rolesSchema}"."user_roles"`)} ur WHERE ur.user_id = ${sql.raw(usersTableName)}.${sql.raw(idColumn)} AND ur.role_id = ${roleId})`);
+            conditions.push(sql`${roleId} = ANY(${sql.raw(usersTableName)}.roles)`);
         }
         if (search) {
             const pattern = `%${search}%`;
@@ -322,7 +322,7 @@ export class UserService implements UserRepository {
         // Sorting: users with roles first if no role filter, then by requested order
         const orderByClause = roleId
             ? sql`ORDER BY ${sql.raw(usersTableName)}.${sql.raw(orderColumn)} ${direction}`
-            : sql`ORDER BY (SELECT count(*) FROM ${sql.raw(`"${rolesSchema}"."user_roles"`)} ur WHERE ur.user_id = ${sql.raw(usersTableName)}.${sql.raw(idColumn)}) DESC, ${sql.raw(usersTableName)}.${sql.raw(orderColumn)} ${direction}`;
+            : sql`ORDER BY array_length(${sql.raw(usersTableName)}.roles, 1) DESC NULLS LAST, ${sql.raw(usersTableName)}.${sql.raw(orderColumn)} ${direction}`;
 
         const countResult = await this.db.execute(sql`
             SELECT count(*)::int as total FROM ${sql.raw(usersTableName)}
@@ -419,24 +419,25 @@ export class UserService implements UserRepository {
     }
 
     /**
-     * Get roles for a user from database
+     * Get roles for a user from database (inline TEXT[] column)
      */
     async getUserRoles(userId: string): Promise<Role[]> {
-        const rolesSchema = getTableConfig(this.rolesTable).schema || "public";
+        const usersTableName = this.getQualifiedUsersTableName();
         const result = await this.db.execute(sql`
-            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions, r.config
-            FROM ${sql.raw(`"${rolesSchema}"."roles"`)} r
-            INNER JOIN ${sql.raw(`"${rolesSchema}"."user_roles"`)} ur ON r.id = ur.role_id
-            WHERE ur.user_id = ${userId}
+            SELECT roles FROM ${sql.raw(usersTableName)} WHERE id = ${userId}
         `);
 
-        return (result.rows as Array<{ id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null }>).map(row => ({
-            id: row.id,
-            name: row.name,
-            isAdmin: row.is_admin,
-            defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
+        if (result.rows.length === 0) return [];
+
+        const row = result.rows[0] as { roles: string[] | null };
+        const roleIds = row.roles ?? [];
+
+        return roleIds.map(id => ({
+            id,
+            name: id,
+            isAdmin: id === "admin",
+            defaultPermissions: null,
+            collectionPermissions: null
         }));
     }
 
@@ -444,37 +445,39 @@ export class UserService implements UserRepository {
      * Get role IDs for a user
      */
     async getUserRoleIds(userId: string): Promise<string[]> {
-        const roles = await this.getUserRoles(userId);
-        return roles.map(r => r.id);
+        const usersTableName = this.getQualifiedUsersTableName();
+        const result = await this.db.execute(sql`
+            SELECT roles FROM ${sql.raw(usersTableName)} WHERE id = ${userId}
+        `);
+
+        if (result.rows.length === 0) return [];
+
+        const row = result.rows[0] as { roles: string[] | null };
+        return row.roles ?? [];
     }
 
     /**
-     * Set roles for a user
+     * Set roles for a user (replaces existing roles)
      */
     async setUserRoles(userId: string, roleIds: string[]): Promise<void> {
-        const rolesSchema = getTableConfig(this.userRolesTable).schema || "public";
-        // Delete existing roles
-        await this.db.execute(sql`DELETE FROM ${sql.raw(`"${rolesSchema}"."user_roles"`)} WHERE user_id = ${userId}`);
-
-        // Insert new roles
-        for (const roleId of roleIds) {
-            await this.db.execute(sql`
-                INSERT INTO ${sql.raw(`"${rolesSchema}"."user_roles"`)} (user_id, role_id)
-                VALUES (${userId}, ${roleId})
-                ON CONFLICT DO NOTHING
-            `);
-        }
+        const usersTableName = this.getQualifiedUsersTableName();
+        const rolesArray = `{${roleIds.join(",")}}`;
+        await this.db.execute(sql`
+            UPDATE ${sql.raw(usersTableName)}
+            SET roles = ${rolesArray}::text[], updated_at = NOW()
+            WHERE id = ${userId}
+        `);
     }
 
     /**
-     * Assign a specific role to new user
+     * Assign a specific role to new user (appends if not present)
      */
     async assignDefaultRole(userId: string, roleId: string): Promise<void> {
-        const rolesSchema = getTableConfig(this.userRolesTable).schema || "public";
+        const usersTableName = this.getQualifiedUsersTableName();
         await this.db.execute(sql`
-            INSERT INTO ${sql.raw(`"${rolesSchema}"."user_roles"`)} (user_id, role_id)
-            VALUES (${userId}, ${roleId})
-            ON CONFLICT DO NOTHING
+            UPDATE ${sql.raw(usersTableName)}
+            SET roles = array_append(roles, ${roleId}), updated_at = NOW()
+            WHERE id = ${userId} AND NOT (${roleId} = ANY(roles))
         `);
     }
 
@@ -491,119 +494,7 @@ export class UserService implements UserRepository {
     }
 }
 
-/**
- * PostgreSQL implementation of RoleRepository.
- * Handles all role-related database operations using Drizzle ORM.
- */
-export class RoleService implements RoleRepository {
-    private rolesTable: PgTable & Record<string, AnyPgColumn>;
 
-    constructor(
-        private db: NodePgDatabase,
-        tableOrTables?: (PgTable & Record<string, AnyPgColumn>) | Partial<AuthSchemaTables>
-    ) {
-        if (tableOrTables && ((tableOrTables as Partial<AuthSchemaTables>).roles || (tableOrTables as Partial<AuthSchemaTables>).users)) {
-            this.rolesTable = ((tableOrTables as Partial<AuthSchemaTables>).roles || roles) as unknown as PgTable & Record<string, AnyPgColumn>;
-        } else {
-            this.rolesTable = (tableOrTables as unknown as PgTable & Record<string, AnyPgColumn>) || (roles as unknown as PgTable & Record<string, AnyPgColumn>);
-        }
-    }
-
-    private getQualifiedRolesTableName(): string {
-        const name = getTableName(this.rolesTable);
-        const schema = getTableConfig(this.rolesTable).schema || "public";
-        return `"${schema}"."${name}"`;
-    }
-
-    async getRoleById(id: string): Promise<Role | null> {
-        const tableName = this.getQualifiedRolesTableName();
-        const result = await this.db.execute(sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
-            FROM ${sql.raw(tableName)}
-            WHERE id = ${id}
-        `);
-
-        if (result.rows.length === 0) return null;
-
-        const row = result.rows[0] as { id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null };
-        return {
-            id: row.id,
-            name: row.name,
-            isAdmin: row.is_admin,
-            defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
-        };
-    }
-
-    async listRoles(): Promise<Role[]> {
-        const tableName = this.getQualifiedRolesTableName();
-        const result = await this.db.execute(sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
-            FROM ${sql.raw(tableName)}
-            ORDER BY name
-        `);
-
-        return (result.rows as Array<{ id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null }>).map(row => ({
-            id: row.id,
-            name: row.name,
-            isAdmin: row.is_admin,
-            defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
-        }));
-    }
-
-    async createRole(data: Omit<Role, "isAdmin" | "collectionPermissions"> & { isAdmin?: boolean; collectionPermissions?: Role["collectionPermissions"] }): Promise<Role> {
-        const tableName = this.getQualifiedRolesTableName();
-        const result = await this.db.execute(sql`
-            INSERT INTO ${sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions, config)
-            VALUES (
-                ${data.id},
-                ${data.name},
-                ${data.isAdmin ?? false},
-                ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : null}::jsonb,
-                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb,
-                ${data.config ? JSON.stringify(data.config) : null}::jsonb
-            )
-            RETURNING id, name, is_admin, default_permissions, collection_permissions, config
-        `);
-
-        const row = result.rows[0] as { id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null };
-        return {
-            id: row.id,
-            name: row.name,
-            isAdmin: row.is_admin,
-            defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
-        };
-    }
-
-    async updateRole(id: string, data: Partial<Omit<Role, "id">>): Promise<Role | null> {
-        const existing = await this.getRoleById(id);
-        if (!existing) return null;
-
-        const tableName = this.getQualifiedRolesTableName();
-        await this.db.execute(sql`
-            UPDATE ${sql.raw(tableName)}
-            SET 
-                name = ${data.name ?? existing.name},
-                is_admin = ${data.isAdmin ?? existing.isAdmin},
-                default_permissions = ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : JSON.stringify(existing.defaultPermissions)}::jsonb,
-                collection_permissions = ${data.collectionPermissions !== undefined ? (data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null) : (existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null)}::jsonb,
-                config = ${data.config ? JSON.stringify(data.config) : (existing.config ? JSON.stringify(existing.config) : null)}::jsonb
-            WHERE id = ${id}
-        `);
-
-        return this.getRoleById(id);
-    }
-
-    async deleteRole(id: string): Promise<void> {
-        const tableName = this.getQualifiedRolesTableName();
-        await this.db.execute(sql`DELETE FROM ${sql.raw(tableName)} WHERE id = ${id}`);
-    }
-}
 
 export class RefreshTokenService {
     private refreshTokensTable: PgTable & Record<string, AnyPgColumn>;
@@ -875,7 +766,6 @@ export class PostgresTokenRepository implements TokenRepository {
  */
 export class PostgresAuthRepository implements AuthRepository {
     private userService: UserService;
-    private roleService: RoleService;
     private tokenRepository: PostgresTokenRepository;
 
     constructor(
@@ -883,7 +773,6 @@ export class PostgresAuthRepository implements AuthRepository {
         tableOrTables?: (PgTable & Record<string, AnyPgColumn>) | Partial<AuthSchemaTables>
     ) {
         this.userService = new UserService(db, tableOrTables);
-        this.roleService = new RoleService(db, tableOrTables);
         this.tokenRepository = new PostgresTokenRepository(db, tableOrTables);
     }
 
@@ -965,31 +854,48 @@ export class PostgresAuthRepository implements AuthRepository {
         return this.userService.getUserWithRoles(userId);
     }
 
-    // Role operations (delegate to RoleService)
+    // Role operations (roles are inline on users, synthesized from string IDs)
 
     async getRoleById(id: string): Promise<RoleData | null> {
-        return this.roleService.getRoleById(id);
+        return {
+            id,
+            name: id,
+            isAdmin: id === "admin",
+            defaultPermissions: null,
+            collectionPermissions: null
+        };
     }
 
     async listRoles(): Promise<RoleData[]> {
-        return this.roleService.listRoles();
+        return [
+            { id: "admin", name: "Admin", isAdmin: true, defaultPermissions: null, collectionPermissions: null },
+            { id: "editor", name: "Editor", isAdmin: false, defaultPermissions: null, collectionPermissions: null },
+            { id: "viewer", name: "Viewer", isAdmin: false, defaultPermissions: null, collectionPermissions: null }
+        ];
     }
 
-    async createRole(data: CreateRoleData): Promise<RoleData> {
-        return this.roleService.createRole({
-            ...data,
-            defaultPermissions: data.defaultPermissions ?? null,
-            collectionPermissions: data.collectionPermissions ?? null,
-            config: data.config ?? null
-        });
+    async createRole(_data: CreateRoleData): Promise<RoleData> {
+        return {
+            id: _data.id,
+            name: _data.name,
+            isAdmin: _data.isAdmin ?? false,
+            defaultPermissions: _data.defaultPermissions ?? null,
+            collectionPermissions: _data.collectionPermissions ?? null
+        };
     }
 
     async updateRole(id: string, data: Partial<Omit<RoleData, "id">>): Promise<RoleData | null> {
-        return this.roleService.updateRole(id, data);
+        return {
+            id,
+            name: data.name ?? id,
+            isAdmin: data.isAdmin ?? (id === "admin"),
+            defaultPermissions: data.defaultPermissions ?? null,
+            collectionPermissions: data.collectionPermissions ?? null
+        };
     }
 
-    async deleteRole(id: string): Promise<void> {
-        await this.roleService.deleteRole(id);
+    async deleteRole(_id: string): Promise<void> {
+        // No-op: roles are inline strings on users
     }
 
     // Token operations (delegate to PostgresTokenRepository)
@@ -1037,6 +943,273 @@ export class PostgresAuthRepository implements AuthRepository {
     async deleteExpiredTokens(): Promise<void> {
         await this.tokenRepository.deleteExpiredTokens();
     }
+
+    // MFA operations (delegate to MfaService)
+
+    private _mfaService: MfaService | null = null;
+    private getMfaService(): MfaService {
+        if (!this._mfaService) {
+            this._mfaService = new MfaService(this.db);
+        }
+        return this._mfaService;
+    }
+
+    async createMfaFactor(userId: string, factorType: "totp", secretEncrypted: string, friendlyName?: string): Promise<MfaFactor> {
+        return this.getMfaService().createMfaFactor(userId, factorType, secretEncrypted, friendlyName);
+    }
+
+    async getMfaFactors(userId: string): Promise<MfaFactor[]> {
+        return this.getMfaService().getMfaFactors(userId);
+    }
+
+    async getMfaFactorById(factorId: string): Promise<(MfaFactor & { secretEncrypted: string }) | null> {
+        return this.getMfaService().getMfaFactorById(factorId);
+    }
+
+    async verifyMfaFactor(factorId: string): Promise<void> {
+        return this.getMfaService().verifyMfaFactor(factorId);
+    }
+
+    async deleteMfaFactor(factorId: string, userId: string): Promise<void> {
+        return this.getMfaService().deleteMfaFactor(factorId, userId);
+    }
+
+    async createMfaChallenge(factorId: string, ipAddress?: string): Promise<MfaChallengeInfo> {
+        return this.getMfaService().createMfaChallenge(factorId, ipAddress);
+    }
+
+    async getMfaChallengeById(challengeId: string): Promise<MfaChallengeInfo | null> {
+        return this.getMfaService().getMfaChallengeById(challengeId);
+    }
+
+    async verifyMfaChallenge(challengeId: string): Promise<void> {
+        return this.getMfaService().verifyMfaChallenge(challengeId);
+    }
+
+    async createRecoveryCodes(userId: string, codeHashes: string[]): Promise<void> {
+        return this.getMfaService().createRecoveryCodes(userId, codeHashes);
+    }
+
+    async useRecoveryCode(userId: string, codeHash: string): Promise<boolean> {
+        return this.getMfaService().useRecoveryCode(userId, codeHash);
+    }
+
+    async getUnusedRecoveryCodeCount(userId: string): Promise<number> {
+        return this.getMfaService().getUnusedRecoveryCodeCount(userId);
+    }
+
+    async deleteAllRecoveryCodes(userId: string): Promise<void> {
+        return this.getMfaService().deleteAllRecoveryCodes(userId);
+    }
+
+    async hasVerifiedMfaFactors(userId: string): Promise<boolean> {
+        return this.getMfaService().hasVerifiedMfaFactors(userId);
+    }
+}
+
+// =============================================================================
+// MFA SERVICE
+// =============================================================================
+
+/**
+ * PostgreSQL implementation of MfaRepository.
+ * Handles all MFA-related database operations.
+ */
+export class MfaService implements MfaRepository {
+    constructor(private db: NodePgDatabase, private schemaName: string = "rebase") {}
+
+    private qualify(tableName: string): string {
+        return `"${this.schemaName}"."${tableName}"`;
+    }
+
+    async createMfaFactor(
+        userId: string,
+        factorType: "totp",
+        secretEncrypted: string,
+        friendlyName?: string
+    ): Promise<MfaFactor> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            INSERT INTO ${sql.raw(tableName)} (user_id, factor_type, secret_encrypted, friendly_name)
+            VALUES (${userId}, ${factorType}, ${secretEncrypted}, ${friendlyName ?? null})
+            RETURNING id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+        `);
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            userId: row.user_id as string,
+            factorType: row.factor_type as "totp",
+            friendlyName: (row.friendly_name as string | null) ?? undefined,
+            verified: row.verified as boolean,
+            createdAt: new Date(row.created_at as string),
+            updatedAt: new Date(row.updated_at as string)
+        };
+    }
+
+    async getMfaFactors(userId: string): Promise<MfaFactor[]> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            SELECT id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+            FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId}
+            ORDER BY created_at
+        `);
+
+        return (result.rows as Array<Record<string, unknown>>).map(row => ({
+            id: row.id as string,
+            userId: row.user_id as string,
+            factorType: row.factor_type as "totp",
+            friendlyName: (row.friendly_name as string | null) ?? undefined,
+            verified: row.verified as boolean,
+            createdAt: new Date(row.created_at as string),
+            updatedAt: new Date(row.updated_at as string)
+        }));
+    }
+
+    async getMfaFactorById(factorId: string): Promise<(MfaFactor & { secretEncrypted: string }) | null> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            SELECT id, user_id, factor_type, secret_encrypted, friendly_name, verified, created_at, updated_at
+            FROM ${sql.raw(tableName)}
+            WHERE id = ${factorId}
+        `);
+
+        if (result.rows.length === 0) return null;
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            userId: row.user_id as string,
+            factorType: row.factor_type as "totp",
+            secretEncrypted: row.secret_encrypted as string,
+            friendlyName: (row.friendly_name as string | null) ?? undefined,
+            verified: row.verified as boolean,
+            createdAt: new Date(row.created_at as string),
+            updatedAt: new Date(row.updated_at as string)
+        };
+    }
+
+    async verifyMfaFactor(factorId: string): Promise<void> {
+        const tableName = this.qualify("mfa_factors");
+        await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET verified = TRUE, updated_at = NOW()
+            WHERE id = ${factorId}
+        `);
+    }
+
+    async deleteMfaFactor(factorId: string, userId: string): Promise<void> {
+        const tableName = this.qualify("mfa_factors");
+        await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)}
+            WHERE id = ${factorId} AND user_id = ${userId}
+        `);
+    }
+
+    async createMfaChallenge(factorId: string, ipAddress?: string): Promise<MfaChallengeInfo> {
+        const tableName = this.qualify("mfa_challenges");
+        // Challenges expire in 5 minutes
+        const expiresAt = new Date(Date.now() + 5 * 60 * 1000);
+        const result = await this.db.execute(sql`
+            INSERT INTO ${sql.raw(tableName)} (factor_id, ip_address, expires_at)
+            VALUES (${factorId}, ${ipAddress ?? null}, ${expiresAt})
+            RETURNING id, factor_id, created_at, verified_at, ip_address
+        `);
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            factorId: row.factor_id as string,
+            createdAt: new Date(row.created_at as string),
+            verifiedAt: row.verified_at ? new Date(row.verified_at as string) : undefined,
+            ipAddress: (row.ip_address as string | null) ?? undefined
+        };
+    }
+
+    async getMfaChallengeById(challengeId: string): Promise<MfaChallengeInfo | null> {
+        const tableName = this.qualify("mfa_challenges");
+        const result = await this.db.execute(sql`
+            SELECT id, factor_id, created_at, verified_at, ip_address, expires_at
+            FROM ${sql.raw(tableName)}
+            WHERE id = ${challengeId} AND expires_at > NOW() AND verified_at IS NULL
+        `);
+
+        if (result.rows.length === 0) return null;
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            factorId: row.factor_id as string,
+            createdAt: new Date(row.created_at as string),
+            verifiedAt: row.verified_at ? new Date(row.verified_at as string) : undefined,
+            ipAddress: (row.ip_address as string | null) ?? undefined
+        };
+    }
+
+    async verifyMfaChallenge(challengeId: string): Promise<void> {
+        const tableName = this.qualify("mfa_challenges");
+        await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET verified_at = NOW()
+            WHERE id = ${challengeId}
+        `);
+    }
+
+    async createRecoveryCodes(userId: string, codeHashes: string[]): Promise<void> {
+        const tableName = this.qualify("recovery_codes");
+        // Delete existing codes first
+        await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+
+        // Insert new codes
+        for (const hash of codeHashes) {
+            await this.db.execute(sql`
+                INSERT INTO ${sql.raw(tableName)} (user_id, code_hash)
+                VALUES (${userId}, ${hash})
+            `);
+        }
+    }
+
+    async useRecoveryCode(userId: string, codeHash: string): Promise<boolean> {
+        const tableName = this.qualify("recovery_codes");
+        const result = await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET used_at = NOW()
+            WHERE user_id = ${userId} AND code_hash = ${codeHash} AND used_at IS NULL
+            RETURNING id
+        `);
+
+        return result.rows.length > 0;
+    }
+
+    async getUnusedRecoveryCodeCount(userId: string): Promise<number> {
+        const tableName = this.qualify("recovery_codes");
+        const result = await this.db.execute(sql`
+            SELECT COUNT(*)::int as count FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId} AND used_at IS NULL
+        `);
+
+        return (result.rows[0] as { count: number }).count;
+    }
+
+    async deleteAllRecoveryCodes(userId: string): Promise<void> {
+        const tableName = this.qualify("recovery_codes");
+        await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+    }
+
+    async hasVerifiedMfaFactors(userId: string): Promise<boolean> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            SELECT COUNT(*)::int as count FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId} AND verified = TRUE
+        `);
+
+        return (result.rows[0] as { count: number }).count > 0;
+    }
 }
 
 // =============================================================================
@@ -1045,6 +1218,3 @@ export class PostgresAuthRepository implements AuthRepository {
 
 /** PostgreSQL user repository implementation */
 export type PostgresUserRepository = UserService;
-
-/** PostgreSQL role repository implementation */
-export type PostgresRoleRepository = RoleService;