fluxy-bot 0.6.2 → 0.7.0

package/supervisor/chat/src/components/LoginScreen.tsx

@@ -1,30 +1,51 @@
-import { useState, type KeyboardEvent } from 'react';
-import { Lock, LoaderCircle, ArrowRight } from 'lucide-react';
+import { useState, useRef, useEffect, type KeyboardEvent } from 'react';
+import { Lock, LoaderCircle, ArrowRight, ArrowLeft, Shield, Check } from 'lucide-react';
+import { motion, AnimatePresence } from 'framer-motion';
 
 interface Props {
   onLogin: (token: string) => void;
+  totpEnabled?: boolean;
 }
 
-export default function LoginScreen({ onLogin }: Props) {
+export default function LoginScreen({ onLogin, totpEnabled }: Props) {
   const [password, setPassword] = useState('');
   const [error, setError] = useState('');
   const [loading, setLoading] = useState(false);
 
+  // TOTP state
+  const [phase, setPhase] = useState<'password' | 'totp'>('password');
+  const [totpCode, setTotpCode] = useState('');
+  const [pendingToken, setPendingToken] = useState('');
+  const [trustDevice, setTrustDevice] = useState(true);
+  const [useRecovery, setUseRecovery] = useState(false);
+  const totpInputRef = useRef<HTMLInputElement>(null);
+
+  // Auto-focus TOTP input when switching to TOTP phase
+  useEffect(() => {
+    if (phase === 'totp') {
+      setTimeout(() => totpInputRef.current?.focus(), 100);
+    }
+  }, [phase]);
+
   const handleSubmit = async () => {
     if (!password.trim() || loading) return;
     setLoading(true);
     setError('');
 
     try {
-      // Use GET + Basic Auth header (relay proxies don't forward POST bodies)
       const credentials = btoa(`admin:${password}`);
       const res = await fetch('/api/portal/login', {
         headers: { 'Authorization': `Basic ${credentials}` },
+        credentials: 'include',
       });
       const data = await res.json();
 
       if (res.ok && data.token) {
         onLogin(data.token);
+      } else if (res.ok && data.requiresTOTP) {
+        setPendingToken(data.pendingToken);
+        setPhase('totp');
+        setError('');
       } else {
         setError(data.error || 'Invalid password');
       }
@@ -35,8 +56,35 @@ export default function LoginScreen({ onLogin }: Props) {
     }
   };
 
+  const handleTotpSubmit = async () => {
+    if (!totpCode.trim() || loading) return;
+    setLoading(true);
+    setError('');
+
+    try {
+      const res = await fetch(
+        `/api/portal/login/totp?pending=${encodeURIComponent(pendingToken)}&code=${encodeURIComponent(totpCode)}&trust=${trustDevice ? '1' : '0'}`,
+        { credentials: 'include' },
+      );
+      const data = await res.json();
+
+      if (res.ok && data.token) {
+        onLogin(data.token);
+      } else {
+        setError(data.error || 'Invalid code');
+      }
+    } catch {
+      setError('Could not reach server');
+    } finally {
+      setLoading(false);
+    }
+  };
+
   const handleKeyDown = (e: KeyboardEvent) => {
-    if (e.key === 'Enter') handleSubmit();
+    if (e.key === 'Enter') {
+      if (phase === 'password') handleSubmit();
+      else handleTotpSubmit();
+    }
   };
 
   const inputCls = 'w-full bg-white/[0.05] border border-white/[0.08] text-white rounded-xl px-4 py-3 text-base outline-none input-glow placeholder:text-white/20 transition-all';
@@ -44,45 +92,145 @@ export default function LoginScreen({ onLogin }: Props) {
   return (
     <div className="flex flex-col items-center justify-center h-dvh px-6">
       <div className="w-full max-w-[320px] flex flex-col items-center">
-        <div className="w-14 h-14 rounded-2xl bg-white/[0.04] border border-white/[0.08] flex items-center justify-center mb-5">
-          <Lock className="h-6 w-6 text-white/40" />
-        </div>
-
-        <h1 className="text-xl font-bold text-white tracking-tight mb-1">
-          Welcome back
-        </h1>
-        <p className="text-white/40 text-[13px] mb-6">
-          Enter your password to continue.
-        </p>
-
-        {error && (
-          <div className="w-full bg-red-500/8 border border-red-500/15 rounded-xl px-4 py-2.5 mb-4">
-            <p className="text-red-400/90 text-[12px]">{error}</p>
-          </div>
-        )}
-
-        <input
-          type="password"
-          value={password}
-          onChange={(e) => setPassword(e.target.value)}
-          onKeyDown={handleKeyDown}
-          placeholder="Password"
-          autoFocus
-          autoComplete="current-password"
-          className={inputCls}
-        />
-
-        <button
-          onClick={handleSubmit}
-          disabled={!password.trim() || loading}
-          className="w-full mt-4 py-3 bg-gradient-brand hover:opacity-90 text-white text-[14px] font-semibold rounded-full transition-colors flex items-center justify-center gap-2 disabled:opacity-40"
-        >
-          {loading ? (
-            <><LoaderCircle className="h-4 w-4 animate-spin" />Signing in...</>
+        <AnimatePresence mode="wait">
+          {phase === 'password' ? (
+            <motion.div
+              key="password"
+              initial={{ opacity: 0, x: -20 }}
+              animate={{ opacity: 1, x: 0 }}
+              exit={{ opacity: 0, x: -20 }}
+              transition={{ duration: 0.2 }}
+              className="w-full flex flex-col items-center"
+            >
+              <div className="w-14 h-14 rounded-2xl bg-white/[0.04] border border-white/[0.08] flex items-center justify-center mb-5">
+                <Lock className="h-6 w-6 text-white/40" />
+              </div>
+
+              <h1 className="text-xl font-bold text-white tracking-tight mb-1">
+                Welcome back
+              </h1>
+              <p className="text-white/40 text-[13px] mb-6">
+                Enter your password to continue.
+              </p>
+
+              {error && (
+                <div className="w-full bg-red-500/8 border border-red-500/15 rounded-xl px-4 py-2.5 mb-4">
+                  <p className="text-red-400/90 text-[12px]">{error}</p>
+                </div>
+              )}
+
+              <input
+                type="password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                onKeyDown={handleKeyDown}
+                placeholder="Password"
+                autoFocus
+                autoComplete="current-password"
+                className={inputCls}
+              />
+
+              <button
+                onClick={handleSubmit}
+                disabled={!password.trim() || loading}
+                className="w-full mt-4 py-3 bg-gradient-brand hover:opacity-90 text-white text-[14px] font-semibold rounded-full transition-colors flex items-center justify-center gap-2 disabled:opacity-40"
+              >
+                {loading ? (
+                  <><LoaderCircle className="h-4 w-4 animate-spin" />Signing in...</>
+                ) : (
+                  <>Sign In<ArrowRight className="h-4 w-4" /></>
+                )}
+              </button>
+            </motion.div>
           ) : (
-            <>Sign In<ArrowRight className="h-4 w-4" /></>
+            <motion.div
+              key="totp"
+              initial={{ opacity: 0, x: 20 }}
+              animate={{ opacity: 1, x: 0 }}
+              exit={{ opacity: 0, x: 20 }}
+              transition={{ duration: 0.2 }}
+              className="w-full flex flex-col items-center"
+            >
+              <div className="w-14 h-14 rounded-2xl bg-[#AF27E3]/10 border border-[#AF27E3]/20 flex items-center justify-center mb-5">
+                <Shield className="h-6 w-6 text-[#AF27E3]" />
+              </div>
+
+              <h1 className="text-xl font-bold text-white tracking-tight mb-1">
+                {useRecovery ? 'Recovery code' : 'Enter your 2FA code'}
+              </h1>
+              <p className="text-white/40 text-[13px] mb-6">
+                {useRecovery
+                  ? 'Enter one of your recovery codes.'
+                  : 'Open your authenticator app and enter the 6-digit code.'}
+              </p>
+
+              {error && (
+                <div className="w-full bg-red-500/8 border border-red-500/15 rounded-xl px-4 py-2.5 mb-4">
+                  <p className="text-red-400/90 text-[12px]">{error}</p>
+                </div>
+              )}
+
+              <input
+                ref={totpInputRef}
+                type="text"
+                inputMode={useRecovery ? 'text' : 'numeric'}
+                autoComplete="one-time-code"
+                maxLength={useRecovery ? 20 : 6}
+                value={totpCode}
+                onChange={(e) => {
+                  setTotpCode(useRecovery ? e.target.value : e.target.value.replace(/\D/g, ''));
+                  setError('');
+                }}
+                onKeyDown={handleKeyDown}
+                placeholder={useRecovery ? 'Recovery code' : '000000'}
+                className={inputCls + (useRecovery ? '' : ' tracking-[0.3em] text-center font-mono')}
+              />
+
+              {/* Trust device checkbox */}
+              <label className="flex items-center gap-2.5 mt-4 w-full cursor-pointer">
+                <div
+                  onClick={() => setTrustDevice(v => !v)}
+                  className={`w-5 h-5 rounded-md border flex items-center justify-center transition-all ${
+                    trustDevice
+                      ? 'bg-[#AF27E3] border-[#AF27E3]'
+                      : 'bg-white/[0.04] border-white/[0.12]'
+                  }`}
+                >
+                  {trustDevice && <Check className="h-3.5 w-3.5 text-white" />}
+                </div>
+                <span className="text-[13px] text-white/50">Trust this device for 90 days</span>
+              </label>
+
+              <button
+                onClick={handleTotpSubmit}
+                disabled={!totpCode.trim() || loading}
+                className="w-full mt-4 py-3 bg-gradient-brand hover:opacity-90 text-white text-[14px] font-semibold rounded-full transition-colors flex items-center justify-center gap-2 disabled:opacity-40"
+              >
+                {loading ? (
+                  <><LoaderCircle className="h-4 w-4 animate-spin" />Verifying...</>
+                ) : (
+                  <>Verify<ArrowRight className="h-4 w-4" /></>
+                )}
+              </button>
+
+              <div className="flex items-center gap-4 mt-4">
+                <button
+                  onClick={() => { setPhase('password'); setError(''); setTotpCode(''); setUseRecovery(false); }}
+                  className="text-[12px] text-white/30 hover:text-white/50 flex items-center gap-1 transition-colors"
+                >
+                  <ArrowLeft className="h-3 w-3" />
+                  Back
+                </button>
+                <button
+                  onClick={() => { setUseRecovery(v => !v); setTotpCode(''); setError(''); }}
+                  className="text-[12px] text-white/30 hover:text-white/50 transition-colors"
+                >
+                  {useRecovery ? 'Use authenticator code' : 'Use a recovery code'}
+                </button>
+              </div>
+            </motion.div>
           )}
-        </button>
+        </AnimatePresence>
       </div>
     </div>
   );

package/supervisor/index.ts

@@ -198,6 +198,12 @@ export async function startSupervisor() {
     'POST /api/auth/codex/start',
     'POST /api/auth/codex/cancel',
     'GET /api/auth/codex/status',
+    'POST /api/portal/totp/setup',
+    'POST /api/portal/totp/verify-setup',
+    'POST /api/portal/totp/disable',
+    'GET /api/portal/totp/status',
+    'GET /api/portal/login/totp',
+    'POST /api/portal/devices/revoke',
   ];
 
   function isExemptRoute(method: string, url: string): boolean {

package/worker/db.ts

@@ -39,6 +39,15 @@ CREATE TABLE IF NOT EXISTS push_subscriptions (
   keys_auth TEXT NOT NULL,
   created_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
+CREATE TABLE IF NOT EXISTS trusted_devices (
+  id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(8)))),
+  token TEXT NOT NULL UNIQUE,
+  label TEXT,
+  created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+  expires_at DATETIME NOT NULL,
+  last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_td_token ON trusted_devices(token);
 `;
 
 let db: Database.Database;
@@ -145,6 +154,29 @@ export function getPushSubscriptionByEndpoint(endpoint: string) {
   return db.prepare('SELECT * FROM push_subscriptions WHERE endpoint = ?').get(endpoint) as { id: number; endpoint: string; keys_p256dh: string; keys_auth: string } | undefined;
 }
 
+// Trusted devices (2FA)
+export function createTrustedDevice(token: string, label: string, expiresAt: string) {
+  return db.prepare('INSERT INTO trusted_devices (token, label, expires_at) VALUES (?, ?, ?) RETURNING *').get(token, label, expiresAt) as any;
+}
+export function getTrustedDevice(token: string): { id: string; token: string; label: string; created_at: string; expires_at: string; last_seen: string } | undefined {
+  return db.prepare("SELECT * FROM trusted_devices WHERE token = ? AND expires_at > datetime('now')").get(token) as any;
+}
+export function updateDeviceLastSeen(token: string) {
+  db.prepare("UPDATE trusted_devices SET last_seen = CURRENT_TIMESTAMP WHERE token = ?").run(token);
+}
+export function listTrustedDevices() {
+  return db.prepare("SELECT id, label, last_seen, created_at FROM trusted_devices WHERE expires_at > datetime('now') ORDER BY last_seen DESC").all() as { id: string; label: string; last_seen: string; created_at: string }[];
+}
+export function deleteTrustedDevice(id: string) {
+  db.prepare('DELETE FROM trusted_devices WHERE id = ?').run(id);
+}
+export function deleteExpiredDevices() {
+  db.prepare("DELETE FROM trusted_devices WHERE expires_at <= datetime('now')").run();
+}
+export function deleteAllTrustedDevices() {
+  db.prepare('DELETE FROM trusted_devices').run();
+}
+
 // Recent messages (for context injection)
 export function getRecentMessages(convId: string, limit = 20) {
   return db.prepare(`

package/worker/index.ts

@@ -5,8 +5,10 @@ import path from 'path';
 import { loadConfig, saveConfig } from '../shared/config.js';
 import { paths, WORKSPACE_DIR } from '../shared/paths.js';
 import { log } from '../shared/logger.js';
-import { initDb, closeDb, listConversations, createConversation, deleteConversation, getMessages, addMessage, getSetting, getAllSettings, setSetting, createSession, getSession, deleteExpiredSessions, getRecentMessages, getMessagesBefore, addPushSubscription, removePushSubscription, getAllPushSubscriptions, getPushSubscriptionByEndpoint } from './db.js';
+import { initDb, closeDb, listConversations, createConversation, deleteConversation, getMessages, addMessage, getSetting, getAllSettings, setSetting, createSession, getSession, deleteExpiredSessions, getRecentMessages, getMessagesBefore, addPushSubscription, removePushSubscription, getAllPushSubscriptions, getPushSubscriptionByEndpoint, createTrustedDevice, getTrustedDevice, updateDeviceLastSeen, listTrustedDevices, deleteTrustedDevice, deleteExpiredDevices, deleteAllTrustedDevices } from './db.js';
 import webpush from 'web-push';
+import { TOTP } from 'otpauth';
+import QRCode from 'qrcode';
 import { startCodexOAuth, cancelCodexOAuth, getCodexAuthStatus, readCodexAccessToken } from './codex-auth.js';
 import { startClaudeOAuth, exchangeClaudeCode, getClaudeAuthStatus, readClaudeAccessToken } from './claude-auth.js';
 import { checkAvailability, registerHandle, releaseHandle, updateTunnelUrl, startHeartbeat, stopHeartbeat } from '../shared/relay.js';
@@ -26,6 +28,45 @@ function verifyPassword(password: string, stored: string): boolean {
   return hash === test;
 }
 
+// ── TOTP helpers ──
+
+function generateTOTPSecret(): string {
+  return crypto.randomBytes(20).toString('base64url').replace(/[^A-Z2-7]/gi, '').slice(0, 32).toUpperCase();
+}
+
+function verifyTOTPCode(code: string, secret: string): boolean {
+  const totp = new TOTP({ issuer: 'Fluxy', algorithm: 'SHA1', digits: 6, period: 30, secret });
+  const delta = totp.validate({ token: code, window: 1 });
+  return delta !== null;
+}
+
+function generateRecoveryCodes(): string[] {
+  const codes: string[] = [];
+  for (let i = 0; i < 8; i++) {
+    codes.push(crypto.randomBytes(4).toString('hex'));
+  }
+  return codes;
+}
+
+function hashRecoveryCode(code: string): string {
+  return crypto.createHash('sha256').update(code.toLowerCase()).digest('hex');
+}
+
+function verifyRecoveryCode(code: string, hashes: string[]): { valid: boolean; remaining: string[] } {
+  const h = hashRecoveryCode(code);
+  const idx = hashes.indexOf(h);
+  if (idx === -1) return { valid: false, remaining: hashes };
+  const remaining = [...hashes];
+  remaining.splice(idx, 1);
+  return { valid: true, remaining };
+}
+
+function parseCookie(cookieHeader: string | undefined, name: string): string | undefined {
+  if (!cookieHeader) return undefined;
+  const match = cookieHeader.split(';').map(c => c.trim()).find(c => c.startsWith(`${name}=`));
+  return match ? match.slice(name.length + 1) : undefined;
+}
+
 const port = parseInt(process.env.WORKER_PORT || '3001', 10);
 const config = loadConfig();
 
@@ -293,6 +334,7 @@ app.get('/api/onboard/status', (_, res) => {
     tunnelMode: cfg.tunnel?.mode || 'quick',
     tunnelDomain: cfg.tunnel?.domain || '',
     tunnelUrl: cfg.tunnelUrl || '',
+    totpEnabled: settings.totp_enabled === 'true',
   });
 });
 
@@ -304,12 +346,38 @@ app.post('/api/portal/verify-password', (req, res) => {
 });
 
 // Shared login logic (used by both POST and GET handlers)
-function handleLogin(username: string | undefined, password: string | undefined, res: any) {
+function handleLogin(username: string | undefined, password: string | undefined, req: any, res: any) {
   if (!password) { res.status(400).json({ error: 'Password required' }); return; }
   const storedPass = getSetting('portal_pass');
   if (!storedPass) { res.status(400).json({ error: 'No password set' }); return; }
   if (!verifyPassword(password, storedPass)) { res.status(401).json({ error: 'Invalid password' }); return; }
 
+  // Check if TOTP is enabled
+  const totpEnabled = getSetting('totp_enabled') === 'true';
+  if (totpEnabled) {
+    // Check for trusted device cookie
+    const deviceToken = parseCookie(req.headers.cookie, 'fluxy_device');
+    if (deviceToken) {
+      const device = getTrustedDevice(deviceToken);
+      if (device) {
+        updateDeviceLastSeen(deviceToken);
+        // Trusted device — skip TOTP
+        deleteExpiredSessions();
+        const token = crypto.randomBytes(64).toString('hex');
+        const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+        createSession(token, expiresAt);
+        res.json({ token, expiresAt });
+        return;
+      }
+    }
+    // No valid trusted device — require TOTP
+    const pendingToken = crypto.randomBytes(32).toString('hex');
+    const pendingExpiry = new Date(Date.now() + 5 * 60 * 1000).toISOString();
+    setSetting(`totp_pending_login:${pendingToken}`, pendingExpiry);
+    res.json({ requiresTOTP: true, pendingToken });
+    return;
+  }
+
   deleteExpiredSessions();
   const token = crypto.randomBytes(64).toString('hex');
   const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
@@ -320,7 +388,7 @@ function handleLogin(username: string | undefined, password: string | undefined,
 // POST: credentials in JSON body
 app.post('/api/portal/login', (req, res) => {
   const { username, password } = req.body;
-  handleLogin(username, password, res);
+  handleLogin(username, password, req, res);
 });
 
 // GET: credentials via Authorization Basic header (relay proxies don't forward POST bodies)
@@ -330,7 +398,7 @@ app.get('/api/portal/login', (req, res) => {
   const decoded = Buffer.from(authHeader.slice(6), 'base64').toString();
   const sep = decoded.indexOf(':');
   if (sep < 0) { res.status(400).json({ error: 'Invalid credentials format' }); return; }
-  handleLogin(decoded.slice(0, sep), decoded.slice(sep + 1), res);
+  handleLogin(decoded.slice(0, sep), decoded.slice(sep + 1), req, res);
 });
 
 // POST + GET for validate-token (same relay issue)
@@ -348,6 +416,185 @@ app.get('/api/portal/validate-token', (req, res) => {
   handleValidateToken(req.query.token as string, res);
 });
 
+// ── TOTP 2FA endpoints ──
+
+app.get('/api/portal/totp/status', (_req, res) => {
+  res.json({ enabled: getSetting('totp_enabled') === 'true' });
+});
+
+app.post('/api/portal/totp/setup', async (req, res) => {
+  // Verify caller has auth: either valid session token or correct password
+  const authHeader = req.headers['authorization'];
+  let authorized = false;
+  if (authHeader?.startsWith('Bearer ')) {
+    const session = getSession(authHeader.slice(7));
+    if (session) authorized = true;
+  }
+  if (!authorized && req.body?.password) {
+    const storedPass = getSetting('portal_pass');
+    if (storedPass && verifyPassword(req.body.password, storedPass)) authorized = true;
+  }
+  if (!authorized) { res.status(401).json({ error: 'Unauthorized' }); return; }
+
+  const secret = generateTOTPSecret();
+  setSetting('totp_pending_secret', secret);
+
+  const botName = getSetting('agent_name') || 'Fluxy';
+  const totp = new TOTP({ issuer: 'Fluxy', label: botName, algorithm: 'SHA1', digits: 6, period: 30, secret });
+  const otpauthUri = totp.toString();
+
+  try {
+    const qrDataUri = await QRCode.toDataURL(otpauthUri, { width: 256, margin: 2 });
+    res.json({ secret, qrDataUri, otpauthUri });
+  } catch (err: any) {
+    res.status(500).json({ error: 'Failed to generate QR code' });
+  }
+});
+
+app.post('/api/portal/totp/verify-setup', (req, res) => {
+  const authHeader = req.headers['authorization'];
+  let authorized = false;
+  if (authHeader?.startsWith('Bearer ')) {
+    const session = getSession(authHeader.slice(7));
+    if (session) authorized = true;
+  }
+  if (!authorized && req.body?.password) {
+    const storedPass = getSetting('portal_pass');
+    if (storedPass && verifyPassword(req.body.password, storedPass)) authorized = true;
+  }
+  if (!authorized) { res.status(401).json({ error: 'Unauthorized' }); return; }
+
+  const { code } = req.body;
+  if (!code) { res.status(400).json({ error: 'Code required' }); return; }
+
+  const pendingSecret = getSetting('totp_pending_secret');
+  if (!pendingSecret) { res.status(400).json({ error: 'No TOTP setup in progress' }); return; }
+
+  if (!verifyTOTPCode(code, pendingSecret)) {
+    res.status(400).json({ error: 'Invalid code. Check your authenticator app and try again.' });
+    return;
+  }
+
+  // Success: persist TOTP config
+  setSetting('totp_secret', pendingSecret);
+  setSetting('totp_enabled', 'true');
+
+  // Generate recovery codes
+  const codes = generateRecoveryCodes();
+  const hashes = codes.map(hashRecoveryCode);
+  setSetting('totp_recovery_codes', JSON.stringify(hashes));
+
+  // Clean up pending secret
+  setSetting('totp_pending_secret', '');
+
+  res.json({ success: true, recoveryCodes: codes });
+});
+
+app.post('/api/portal/totp/disable', (req, res) => {
+  const { password, code } = req.body;
+  if (!password || !code) { res.status(400).json({ error: 'Password and TOTP code required' }); return; }
+
+  const storedPass = getSetting('portal_pass');
+  if (!storedPass || !verifyPassword(password, storedPass)) {
+    res.status(401).json({ error: 'Invalid password' });
+    return;
+  }
+
+  const secret = getSetting('totp_secret');
+  if (!secret) { res.status(400).json({ error: '2FA is not enabled' }); return; }
+
+  if (!verifyTOTPCode(code, secret)) {
+    res.status(400).json({ error: 'Invalid TOTP code' });
+    return;
+  }
+
+  // Clear all TOTP settings
+  setSetting('totp_enabled', 'false');
+  setSetting('totp_secret', '');
+  setSetting('totp_recovery_codes', '');
+  setSetting('totp_pending_secret', '');
+  deleteAllTrustedDevices();
+
+  res.json({ success: true });
+});
+
+app.get('/api/portal/login/totp', (req, res) => {
+  const pending = req.query.pending as string;
+  const code = req.query.code as string;
+  const trust = req.query.trust as string;
+
+  if (!pending || !code) { res.status(400).json({ error: 'Missing pending token or code' }); return; }
+
+  // Validate pending token
+  const expiry = getSetting(`totp_pending_login:${pending}`);
+  if (!expiry || new Date(expiry) < new Date()) {
+    res.status(401).json({ error: 'Login session expired. Please start over.' });
+    return;
+  }
+
+  // Clean up pending token
+  setSetting(`totp_pending_login:${pending}`, '');
+
+  const secret = getSetting('totp_secret');
+  if (!secret) { res.status(400).json({ error: '2FA is not configured' }); return; }
+
+  // Try TOTP code first
+  let valid = verifyTOTPCode(code, secret);
+
+  // If not valid as TOTP, try as recovery code
+  if (!valid) {
+    const hashesJson = getSetting('totp_recovery_codes');
+    if (hashesJson) {
+      try {
+        const hashes = JSON.parse(hashesJson) as string[];
+        const result = verifyRecoveryCode(code, hashes);
+        if (result.valid) {
+          valid = true;
+          setSetting('totp_recovery_codes', JSON.stringify(result.remaining));
+        }
+      } catch {}
+    }
+  }
+
+  if (!valid) {
+    res.status(401).json({ error: 'Invalid code' });
+    return;
+  }
+
+  // Create session
+  deleteExpiredSessions();
+  const token = crypto.randomBytes(64).toString('hex');
+  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+  createSession(token, expiresAt);
+
+  // Trust device if requested
+  if (trust === '1') {
+    deleteExpiredDevices();
+    const deviceToken = crypto.randomBytes(32).toString('hex');
+    const deviceExpiry = new Date(Date.now() + 90 * 24 * 60 * 60 * 1000).toISOString();
+    createTrustedDevice(deviceToken, 'Browser', deviceExpiry);
+    res.setHeader('Set-Cookie', `fluxy_device=${deviceToken}; HttpOnly; Secure; SameSite=Strict; Max-Age=7776000; Path=/`);
+  }
+
+  res.json({ token, expiresAt });
+});
+
+app.get('/api/portal/devices', (_req, res) => {
+  res.json(listTrustedDevices());
+});
+
+app.delete('/api/portal/devices/:id', (req, res) => {
+  deleteTrustedDevice(req.params.id);
+  res.json({ ok: true });
+});
+
+app.post('/api/portal/devices/revoke', (req, res) => {
+  const { id } = req.body;
+  if (!id) { res.status(400).json({ error: 'Device ID required' }); return; }
+  deleteTrustedDevice(id);
+  res.json({ ok: true });
+});
+
 app.post('/api/onboard', (req, res) => {
   const { userName, agentName, provider, model, apiKey, baseUrl, portalUser, portalPass, whisperEnabled, whisperKey } = req.body;