@rebasepro/server-postgresql 0.2.3 → 0.3.0

package/src/auth/ensure-tables.ts

@@ -3,6 +3,7 @@ import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import { getTableConfig, AnyPgColumn, PgTable } from "drizzle-orm/pg-core";
 import { getColumnMeta } from "../services/entity-helpers";
 import { PostgresCollectionRegistry } from "../collections/PostgresCollectionRegistry";
+import { logger } from "@rebasepro/server-core";
 
 /**
  * Default roles to seed on first run
@@ -12,22 +13,19 @@ const DEFAULT_ROLES = [
         id: "admin",
         name: "Admin",
         is_admin: true,
-        default_permissions: { read: true, create: true, edit: true, delete: true },
-        config: { createCollections: true, editCollections: "all", deleteCollections: "all" }
+        default_permissions: { read: true, create: true, edit: true, delete: true }
     },
     {
         id: "editor",
         name: "Editor",
         is_admin: false,
-        default_permissions: { read: true, create: true, edit: true, delete: true },
-        config: { createCollections: true, editCollections: "own", deleteCollections: "own" }
+        default_permissions: { read: true, create: true, edit: true, delete: true }
     },
     {
         id: "viewer",
         name: "Viewer",
         is_admin: false,
-        default_permissions: { read: true, create: false, edit: false, delete: false },
-        config: null
+        default_permissions: { read: true, create: false, edit: false, delete: false }
     }
 ];
 
@@ -36,7 +34,7 @@ const DEFAULT_ROLES = [
  * This runs on startup to ensure the database is ready for auth
  */
 export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: PostgresCollectionRegistry): Promise<void> {
-    console.log("🔍 Checking auth tables...");
+    logger.info("🔍 Checking auth tables...");
 
     try {
         // Resolve dynamic user table name and ID type
@@ -123,7 +121,6 @@ export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: Postg
                 is_admin BOOLEAN DEFAULT FALSE,
                 default_permissions JSONB,
                 collection_permissions JSONB,
-                config JSONB,
                 created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
             )
         `);
@@ -234,10 +231,76 @@ export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: Postg
         // Seed default roles if none exist
         await seedDefaultRoles(db, rolesTableName);
 
-        console.log("✅ Auth tables ready");
+        // ── Migration: Add is_anonymous column (safe for existing tables) ────
+        await db.execute(sql`
+            ALTER TABLE ${sql.raw(usersTableName)}
+            ADD COLUMN IF NOT EXISTS is_anonymous BOOLEAN DEFAULT FALSE
+        `);
+
+        // ── MFA tables ──────────────────────────────────────────────────────
+        const mfaFactorsTableName = `"${rolesSchema}"."mfa_factors"`;
+        const mfaChallengesTableName = `"${rolesSchema}"."mfa_challenges"`;
+        const recoveryCodesTableName = `"${rolesSchema}"."recovery_codes"`;
+
+        // Create mfa_factors table
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(mfaFactorsTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                factor_type TEXT NOT NULL DEFAULT 'totp',
+                secret_encrypted TEXT NOT NULL,
+                friendly_name TEXT,
+                verified BOOLEAN DEFAULT FALSE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+
+        // Create indexes on mfa_factors
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_factors_user
+            ON ${sql.raw(mfaFactorsTableName)}(user_id)
+        `);
+
+        // Create mfa_challenges table
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(mfaChallengesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                factor_id TEXT NOT NULL REFERENCES ${sql.raw(mfaFactorsTableName)}(id) ON DELETE CASCADE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                verified_at TIMESTAMP WITH TIME ZONE,
+                ip_address TEXT,
+                expires_at TIMESTAMP WITH TIME ZONE NOT NULL
+            )
+        `);
+
+        // Create indexes on mfa_challenges
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_challenges_factor
+            ON ${sql.raw(mfaChallengesTableName)}(factor_id)
+        `);
+
+        // Create recovery_codes table
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(recoveryCodesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                code_hash TEXT NOT NULL,
+                used_at TIMESTAMP WITH TIME ZONE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+
+        // Create indexes on recovery_codes
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_recovery_codes_user
+            ON ${sql.raw(recoveryCodesTableName)}(user_id)
+        `);
+
+        logger.info("✅ Auth tables ready");
     } catch (error) {
-        console.error("❌ Failed to create auth tables:", error);
-        console.warn("⚠️ Continuing without creating auth tables.");
+        logger.error("❌ Failed to create auth tables", { error });
+        logger.warn("⚠️ Continuing without creating auth tables.");
     }
 }
 
@@ -250,25 +313,24 @@ async function seedDefaultRoles(db: NodePgDatabase, rolesTableName: string): Pro
     const count = parseInt((result.rows[0] as Record<string, string | number>)?.count as string || "0", 10);
 
     if (count > 0) {
-        console.log(`📋 Found ${count} existing roles`);
+        logger.info(`📋 Found ${count} existing roles`);
         return;
     }
 
-    console.log("🌱 Seeding default roles...");
+    logger.info("🌱 Seeding default roles...");
 
     for (const role of DEFAULT_ROLES) {
         await db.execute(sql`
-            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions, config)
+            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions)
             VALUES (
                 ${role.id}, 
                 ${role.name}, 
                 ${role.is_admin}, 
-                ${JSON.stringify(role.default_permissions)}::jsonb, 
-                ${role.config ? JSON.stringify(role.config) : null}::jsonb
+                ${JSON.stringify(role.default_permissions)}::jsonb
             )
             ON CONFLICT (id) DO NOTHING
         `);
     }
 
-    console.log("✅ Default roles created: admin, editor, viewer");
+    logger.info("✅ Default roles created: admin, editor, viewer");
 }

package/src/auth/services.ts

@@ -6,6 +6,7 @@ import {
     UserRepository,
     RoleRepository,
     TokenRepository,
+    MfaRepository,
     AuthRepository,
     UserData,
     CreateUserData,
@@ -16,6 +17,8 @@ import {
     UserIdentityData,
     ListUsersOptions,
     PaginatedUsersResult,
+    MfaFactor,
+    MfaChallengeInfo,
     RoleData as Role
 // @ts-ignore
 } from "@rebasepro/server-core";
@@ -97,6 +100,7 @@ export class UserService implements UserRepository {
         const emailVerified = (row.email_verified ?? row.emailVerified ?? false) as boolean;
         const emailVerificationToken = (row.email_verification_token ?? row.emailVerificationToken ?? null) as string | null | undefined;
         const emailVerificationSentAt = (row.email_verification_sent_at ?? row.emailVerificationSentAt ?? null) as string | number | Date | null;
+        const isAnonymous = (row.is_anonymous ?? row.isAnonymous ?? false) as boolean;
         const createdAt = (row.created_at ?? row.createdAt) as string | number | Date | undefined;
         const updatedAt = (row.updated_at ?? row.updatedAt) as string | number | Date | undefined;
 
@@ -110,6 +114,7 @@ export class UserService implements UserRepository {
             "email_verified", "emailVerified",
             "email_verification_token", "emailVerificationToken",
             "email_verification_sent_at", "emailVerificationSentAt",
+            "is_anonymous", "isAnonymous",
             "created_at", "createdAt",
             "updated_at", "updatedAt",
             "metadata"
@@ -131,6 +136,7 @@ export class UserService implements UserRepository {
             emailVerified,
             emailVerificationToken,
             emailVerificationSentAt: emailVerificationSentAt ? new Date(emailVerificationSentAt) : null,
+            isAnonymous,
             createdAt: createdAt ? new Date(createdAt) : new Date(),
             updatedAt: updatedAt ? new Date(updatedAt) : new Date(),
             metadata
@@ -150,6 +156,7 @@ export class UserService implements UserRepository {
         const emailVerifiedKey = getColumnKey(this.usersTable, "emailVerified", "email_verified") || "emailVerified";
         const emailVerificationTokenKey = getColumnKey(this.usersTable, "emailVerificationToken", "email_verification_token") || "emailVerificationToken";
         const emailVerificationSentAtKey = getColumnKey(this.usersTable, "emailVerificationSentAt", "email_verification_sent_at") || "emailVerificationSentAt";
+        const isAnonymousKey = getColumnKey(this.usersTable, "isAnonymous", "is_anonymous") || "isAnonymous";
         const createdAtKey = getColumnKey(this.usersTable, "createdAt", "created_at") || "createdAt";
         const updatedAtKey = getColumnKey(this.usersTable, "updatedAt", "updated_at") || "updatedAt";
         const metadataKey = getColumnKey(this.usersTable, "metadata") || "metadata";
@@ -162,6 +169,7 @@ export class UserService implements UserRepository {
         if ("emailVerified" in data) payload[emailVerifiedKey] = data.emailVerified;
         if ("emailVerificationToken" in data) payload[emailVerificationTokenKey] = data.emailVerificationToken;
         if ("emailVerificationSentAt" in data) payload[emailVerificationSentAtKey] = data.emailVerificationSentAt;
+        if ("isAnonymous" in data) payload[isAnonymousKey] = data.isAnonymous;
         if ("createdAt" in data) payload[createdAtKey] = data.createdAt;
         if ("updatedAt" in data) payload[updatedAtKey] = data.updatedAt;
 
@@ -179,6 +187,7 @@ export class UserService implements UserRepository {
                 tableColKey !== emailVerifiedKey && 
                 tableColKey !== emailVerificationTokenKey && 
                 tableColKey !== emailVerificationSentAtKey && 
+                tableColKey !== isAnonymousKey &&
                 tableColKey !== createdAtKey && 
                 tableColKey !== updatedAtKey && 
                 tableColKey !== metadataKey) {
@@ -424,19 +433,18 @@ export class UserService implements UserRepository {
     async getUserRoles(userId: string): Promise<Role[]> {
         const rolesSchema = getTableConfig(this.rolesTable).schema || "public";
         const result = await this.db.execute(sql`
-            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions, r.config
+            SELECT r.id, r.name, r.is_admin, r.default_permissions, r.collection_permissions
             FROM ${sql.raw(`"${rolesSchema}"."roles"`)} r
             INNER JOIN ${sql.raw(`"${rolesSchema}"."user_roles"`)} ur ON r.id = ur.role_id
             WHERE ur.user_id = ${userId}
         `);
 
-        return (result.rows as Array<{ id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null }>).map(row => ({
+        return (result.rows as Array<{ id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null }>).map(row => ({
             id: row.id,
             name: row.name,
             isAdmin: row.is_admin,
             defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
+            collectionPermissions: row.collection_permissions
         }));
     }
 
@@ -518,65 +526,61 @@ export class RoleService implements RoleRepository {
     async getRoleById(id: string): Promise<Role | null> {
         const tableName = this.getQualifiedRolesTableName();
         const result = await this.db.execute(sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
+            SELECT id, name, is_admin, default_permissions, collection_permissions
             FROM ${sql.raw(tableName)}
             WHERE id = ${id}
         `);
 
         if (result.rows.length === 0) return null;
 
-        const row = result.rows[0] as { id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null };
+        const row = result.rows[0] as { id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null };
         return {
             id: row.id,
             name: row.name,
             isAdmin: row.is_admin,
             defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
+            collectionPermissions: row.collection_permissions
         };
     }
 
     async listRoles(): Promise<Role[]> {
         const tableName = this.getQualifiedRolesTableName();
         const result = await this.db.execute(sql`
-            SELECT id, name, is_admin, default_permissions, collection_permissions, config
+            SELECT id, name, is_admin, default_permissions, collection_permissions
             FROM ${sql.raw(tableName)}
             ORDER BY name
         `);
 
-        return (result.rows as Array<{ id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null }>).map(row => ({
+        return (result.rows as Array<{ id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null }>).map(row => ({
             id: row.id,
             name: row.name,
             isAdmin: row.is_admin,
             defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
+            collectionPermissions: row.collection_permissions
         }));
     }
 
     async createRole(data: Omit<Role, "isAdmin" | "collectionPermissions"> & { isAdmin?: boolean; collectionPermissions?: Role["collectionPermissions"] }): Promise<Role> {
         const tableName = this.getQualifiedRolesTableName();
         const result = await this.db.execute(sql`
-            INSERT INTO ${sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions, config)
+            INSERT INTO ${sql.raw(tableName)} (id, name, is_admin, default_permissions, collection_permissions)
             VALUES (
                 ${data.id},
                 ${data.name},
                 ${data.isAdmin ?? false},
                 ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : null}::jsonb,
-                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb,
-                ${data.config ? JSON.stringify(data.config) : null}::jsonb
+                ${data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null}::jsonb
             )
-            RETURNING id, name, is_admin, default_permissions, collection_permissions, config
+            RETURNING id, name, is_admin, default_permissions, collection_permissions
         `);
 
-        const row = result.rows[0] as { id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null; config: Record<string, unknown> | null };
+        const row = result.rows[0] as { id: string; name: string; is_admin: boolean; default_permissions: Record<string, boolean> | null; collection_permissions: Record<string, Record<string, boolean>> | null };
         return {
             id: row.id,
             name: row.name,
             isAdmin: row.is_admin,
             defaultPermissions: row.default_permissions,
-            collectionPermissions: row.collection_permissions,
-            config: row.config
+            collectionPermissions: row.collection_permissions
         };
     }
 
@@ -591,8 +595,7 @@ export class RoleService implements RoleRepository {
                 name = ${data.name ?? existing.name},
                 is_admin = ${data.isAdmin ?? existing.isAdmin},
                 default_permissions = ${data.defaultPermissions ? JSON.stringify(data.defaultPermissions) : JSON.stringify(existing.defaultPermissions)}::jsonb,
-                collection_permissions = ${data.collectionPermissions !== undefined ? (data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null) : (existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null)}::jsonb,
-                config = ${data.config ? JSON.stringify(data.config) : (existing.config ? JSON.stringify(existing.config) : null)}::jsonb
+                collection_permissions = ${data.collectionPermissions !== undefined ? (data.collectionPermissions ? JSON.stringify(data.collectionPermissions) : null) : (existing.collectionPermissions ? JSON.stringify(existing.collectionPermissions) : null)}::jsonb
             WHERE id = ${id}
         `);
 
@@ -979,8 +982,7 @@ export class PostgresAuthRepository implements AuthRepository {
         return this.roleService.createRole({
             ...data,
             defaultPermissions: data.defaultPermissions ?? null,
-            collectionPermissions: data.collectionPermissions ?? null,
-            config: data.config ?? null
+            collectionPermissions: data.collectionPermissions ?? null
         });
     }
 
@@ -1037,6 +1039,273 @@ export class PostgresAuthRepository implements AuthRepository {
     async deleteExpiredTokens(): Promise<void> {
         await this.tokenRepository.deleteExpiredTokens();
     }
+
+    // MFA operations (delegate to MfaService)
+
+    private _mfaService: MfaService | null = null;
+    private getMfaService(): MfaService {
+        if (!this._mfaService) {
+            this._mfaService = new MfaService(this.db);
+        }
+        return this._mfaService;
+    }
+
+    async createMfaFactor(userId: string, factorType: "totp", secretEncrypted: string, friendlyName?: string): Promise<MfaFactor> {
+        return this.getMfaService().createMfaFactor(userId, factorType, secretEncrypted, friendlyName);
+    }
+
+    async getMfaFactors(userId: string): Promise<MfaFactor[]> {
+        return this.getMfaService().getMfaFactors(userId);
+    }
+
+    async getMfaFactorById(factorId: string): Promise<(MfaFactor & { secretEncrypted: string }) | null> {
+        return this.getMfaService().getMfaFactorById(factorId);
+    }
+
+    async verifyMfaFactor(factorId: string): Promise<void> {
+        return this.getMfaService().verifyMfaFactor(factorId);
+    }
+
+    async deleteMfaFactor(factorId: string, userId: string): Promise<void> {
+        return this.getMfaService().deleteMfaFactor(factorId, userId);
+    }
+
+    async createMfaChallenge(factorId: string, ipAddress?: string): Promise<MfaChallengeInfo> {
+        return this.getMfaService().createMfaChallenge(factorId, ipAddress);
+    }
+
+    async getMfaChallengeById(challengeId: string): Promise<MfaChallengeInfo | null> {
+        return this.getMfaService().getMfaChallengeById(challengeId);
+    }
+
+    async verifyMfaChallenge(challengeId: string): Promise<void> {
+        return this.getMfaService().verifyMfaChallenge(challengeId);
+    }
+
+    async createRecoveryCodes(userId: string, codeHashes: string[]): Promise<void> {
+        return this.getMfaService().createRecoveryCodes(userId, codeHashes);
+    }
+
+    async useRecoveryCode(userId: string, codeHash: string): Promise<boolean> {
+        return this.getMfaService().useRecoveryCode(userId, codeHash);
+    }
+
+    async getUnusedRecoveryCodeCount(userId: string): Promise<number> {
+        return this.getMfaService().getUnusedRecoveryCodeCount(userId);
+    }
+
+    async deleteAllRecoveryCodes(userId: string): Promise<void> {
+        return this.getMfaService().deleteAllRecoveryCodes(userId);
+    }
+
+    async hasVerifiedMfaFactors(userId: string): Promise<boolean> {
+        return this.getMfaService().hasVerifiedMfaFactors(userId);
+    }
+}
+
+// =============================================================================
+// MFA SERVICE
+// =============================================================================
+
+/**
+ * PostgreSQL implementation of MfaRepository.
+ * Handles all MFA-related database operations.
+ */
+export class MfaService implements MfaRepository {
+    constructor(private db: NodePgDatabase, private schemaName: string = "rebase") {}
+
+    private qualify(tableName: string): string {
+        return `"${this.schemaName}"."${tableName}"`;
+    }
+
+    async createMfaFactor(
+        userId: string,
+        factorType: "totp",
+        secretEncrypted: string,
+        friendlyName?: string
+    ): Promise<MfaFactor> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            INSERT INTO ${sql.raw(tableName)} (user_id, factor_type, secret_encrypted, friendly_name)
+            VALUES (${userId}, ${factorType}, ${secretEncrypted}, ${friendlyName ?? null})
+            RETURNING id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+        `);
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            userId: row.user_id as string,
+            factorType: row.factor_type as "totp",
+            friendlyName: (row.friendly_name as string | null) ?? undefined,
+            verified: row.verified as boolean,
+            createdAt: new Date(row.created_at as string),
+            updatedAt: new Date(row.updated_at as string)
+        };
+    }
+
+    async getMfaFactors(userId: string): Promise<MfaFactor[]> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            SELECT id, user_id, factor_type, friendly_name, verified, created_at, updated_at
+            FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId}
+            ORDER BY created_at
+        `);
+
+        return (result.rows as Array<Record<string, unknown>>).map(row => ({
+            id: row.id as string,
+            userId: row.user_id as string,
+            factorType: row.factor_type as "totp",
+            friendlyName: (row.friendly_name as string | null) ?? undefined,
+            verified: row.verified as boolean,
+            createdAt: new Date(row.created_at as string),
+            updatedAt: new Date(row.updated_at as string)
+        }));
+    }
+
+    async getMfaFactorById(factorId: string): Promise<(MfaFactor & { secretEncrypted: string }) | null> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            SELECT id, user_id, factor_type, secret_encrypted, friendly_name, verified, created_at, updated_at
+            FROM ${sql.raw(tableName)}
+            WHERE id = ${factorId}
+        `);
+
+        if (result.rows.length === 0) return null;
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            userId: row.user_id as string,
+            factorType: row.factor_type as "totp",
+            secretEncrypted: row.secret_encrypted as string,
+            friendlyName: (row.friendly_name as string | null) ?? undefined,
+            verified: row.verified as boolean,
+            createdAt: new Date(row.created_at as string),
+            updatedAt: new Date(row.updated_at as string)
+        };
+    }
+
+    async verifyMfaFactor(factorId: string): Promise<void> {
+        const tableName = this.qualify("mfa_factors");
+        await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET verified = TRUE, updated_at = NOW()
+            WHERE id = ${factorId}
+        `);
+    }
+
+    async deleteMfaFactor(factorId: string, userId: string): Promise<void> {
+        const tableName = this.qualify("mfa_factors");
+        await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)}
+            WHERE id = ${factorId} AND user_id = ${userId}
+        `);
+    }
+
+    async createMfaChallenge(factorId: string, ipAddress?: string): Promise<MfaChallengeInfo> {
+        const tableName = this.qualify("mfa_challenges");
+        // Challenges expire in 5 minutes
+        const expiresAt = new Date(Date.now() + 5 * 60 * 1000);
+        const result = await this.db.execute(sql`
+            INSERT INTO ${sql.raw(tableName)} (factor_id, ip_address, expires_at)
+            VALUES (${factorId}, ${ipAddress ?? null}, ${expiresAt})
+            RETURNING id, factor_id, created_at, verified_at, ip_address
+        `);
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            factorId: row.factor_id as string,
+            createdAt: new Date(row.created_at as string),
+            verifiedAt: row.verified_at ? new Date(row.verified_at as string) : undefined,
+            ipAddress: (row.ip_address as string | null) ?? undefined
+        };
+    }
+
+    async getMfaChallengeById(challengeId: string): Promise<MfaChallengeInfo | null> {
+        const tableName = this.qualify("mfa_challenges");
+        const result = await this.db.execute(sql`
+            SELECT id, factor_id, created_at, verified_at, ip_address, expires_at
+            FROM ${sql.raw(tableName)}
+            WHERE id = ${challengeId} AND expires_at > NOW() AND verified_at IS NULL
+        `);
+
+        if (result.rows.length === 0) return null;
+
+        const row = result.rows[0] as Record<string, unknown>;
+        return {
+            id: row.id as string,
+            factorId: row.factor_id as string,
+            createdAt: new Date(row.created_at as string),
+            verifiedAt: row.verified_at ? new Date(row.verified_at as string) : undefined,
+            ipAddress: (row.ip_address as string | null) ?? undefined
+        };
+    }
+
+    async verifyMfaChallenge(challengeId: string): Promise<void> {
+        const tableName = this.qualify("mfa_challenges");
+        await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET verified_at = NOW()
+            WHERE id = ${challengeId}
+        `);
+    }
+
+    async createRecoveryCodes(userId: string, codeHashes: string[]): Promise<void> {
+        const tableName = this.qualify("recovery_codes");
+        // Delete existing codes first
+        await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+
+        // Insert new codes
+        for (const hash of codeHashes) {
+            await this.db.execute(sql`
+                INSERT INTO ${sql.raw(tableName)} (user_id, code_hash)
+                VALUES (${userId}, ${hash})
+            `);
+        }
+    }
+
+    async useRecoveryCode(userId: string, codeHash: string): Promise<boolean> {
+        const tableName = this.qualify("recovery_codes");
+        const result = await this.db.execute(sql`
+            UPDATE ${sql.raw(tableName)}
+            SET used_at = NOW()
+            WHERE user_id = ${userId} AND code_hash = ${codeHash} AND used_at IS NULL
+            RETURNING id
+        `);
+
+        return result.rows.length > 0;
+    }
+
+    async getUnusedRecoveryCodeCount(userId: string): Promise<number> {
+        const tableName = this.qualify("recovery_codes");
+        const result = await this.db.execute(sql`
+            SELECT COUNT(*)::int as count FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId} AND used_at IS NULL
+        `);
+
+        return (result.rows[0] as { count: number }).count;
+    }
+
+    async deleteAllRecoveryCodes(userId: string): Promise<void> {
+        const tableName = this.qualify("recovery_codes");
+        await this.db.execute(sql`
+            DELETE FROM ${sql.raw(tableName)} WHERE user_id = ${userId}
+        `);
+    }
+
+    async hasVerifiedMfaFactors(userId: string): Promise<boolean> {
+        const tableName = this.qualify("mfa_factors");
+        const result = await this.db.execute(sql`
+            SELECT COUNT(*)::int as count FROM ${sql.raw(tableName)}
+            WHERE user_id = ${userId} AND verified = TRUE
+        `);
+
+        return (result.rows[0] as { count: number }).count > 0;
+    }
 }
 
 // =============================================================================