npm - servcraft - Versions diffs - 0.1.0 → 0.1.3 - Mend

servcraft 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/.claude/settings.local.json +30 -0
package/.github/CODEOWNERS +18 -0
package/.github/PULL_REQUEST_TEMPLATE.md +46 -0
package/.github/dependabot.yml +59 -0
package/.github/workflows/ci.yml +188 -0
package/.github/workflows/release.yml +195 -0
package/AUDIT.md +602 -0
package/LICENSE +21 -0
package/README.md +1102 -1
package/dist/cli/index.cjs +2026 -2168
package/dist/cli/index.cjs.map +1 -1
package/dist/cli/index.js +2026 -2168
package/dist/cli/index.js.map +1 -1
package/dist/index.cjs +595 -616
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +114 -52
package/dist/index.d.ts +114 -52
package/dist/index.js +595 -616
package/dist/index.js.map +1 -1
package/docs/CLI-001_MULTI_DB_PLAN.md +546 -0
package/docs/DATABASE_MULTI_ORM.md +399 -0
package/docs/PHASE1_BREAKDOWN.md +346 -0
package/docs/PROGRESS.md +550 -0
package/docs/modules/ANALYTICS.md +226 -0
package/docs/modules/API-VERSIONING.md +252 -0
package/docs/modules/AUDIT.md +192 -0
package/docs/modules/AUTH.md +431 -0
package/docs/modules/CACHE.md +346 -0
package/docs/modules/EMAIL.md +254 -0
package/docs/modules/FEATURE-FLAG.md +291 -0
package/docs/modules/I18N.md +294 -0
package/docs/modules/MEDIA-PROCESSING.md +281 -0
package/docs/modules/MFA.md +266 -0
package/docs/modules/NOTIFICATION.md +311 -0
package/docs/modules/OAUTH.md +237 -0
package/docs/modules/PAYMENT.md +804 -0
package/docs/modules/QUEUE.md +540 -0
package/docs/modules/RATE-LIMIT.md +339 -0
package/docs/modules/SEARCH.md +288 -0
package/docs/modules/SECURITY.md +327 -0
package/docs/modules/SESSION.md +382 -0
package/docs/modules/SWAGGER.md +305 -0
package/docs/modules/UPLOAD.md +296 -0
package/docs/modules/USER.md +505 -0
package/docs/modules/VALIDATION.md +294 -0
package/docs/modules/WEBHOOK.md +270 -0
package/docs/modules/WEBSOCKET.md +691 -0
package/package.json +53 -38
package/prisma/schema.prisma +395 -1
package/src/cli/commands/add-module.ts +520 -87
package/src/cli/commands/db.ts +3 -4
package/src/cli/commands/docs.ts +256 -6
package/src/cli/commands/generate.ts +12 -19
package/src/cli/commands/init.ts +384 -214
package/src/cli/index.ts +0 -4
package/src/cli/templates/repository.ts +6 -1
package/src/cli/templates/routes.ts +6 -21
package/src/cli/utils/docs-generator.ts +6 -7
package/src/cli/utils/env-manager.ts +717 -0
package/src/cli/utils/field-parser.ts +16 -7
package/src/cli/utils/interactive-prompt.ts +223 -0
package/src/cli/utils/template-manager.ts +346 -0
package/src/config/database.config.ts +183 -0
package/src/config/env.ts +0 -10
package/src/config/index.ts +0 -14
package/src/core/server.ts +1 -1
package/src/database/adapters/mongoose.adapter.ts +132 -0
package/src/database/adapters/prisma.adapter.ts +118 -0
package/src/database/connection.ts +190 -0
package/src/database/interfaces/database.interface.ts +85 -0
package/src/database/interfaces/index.ts +7 -0
package/src/database/interfaces/repository.interface.ts +129 -0
package/src/database/models/mongoose/index.ts +7 -0
package/src/database/models/mongoose/payment.schema.ts +347 -0
package/src/database/models/mongoose/user.schema.ts +154 -0
package/src/database/prisma.ts +1 -4
package/src/database/redis.ts +101 -0
package/src/database/repositories/mongoose/index.ts +7 -0
package/src/database/repositories/mongoose/payment.repository.ts +380 -0
package/src/database/repositories/mongoose/user.repository.ts +255 -0
package/src/database/seed.ts +6 -1
package/src/index.ts +9 -20
package/src/middleware/security.ts +2 -6
package/src/modules/analytics/analytics.routes.ts +80 -0
package/src/modules/analytics/analytics.service.ts +364 -0
package/src/modules/analytics/index.ts +18 -0
package/src/modules/analytics/types.ts +180 -0
package/src/modules/api-versioning/index.ts +15 -0
package/src/modules/api-versioning/types.ts +86 -0
package/src/modules/api-versioning/versioning.middleware.ts +120 -0
package/src/modules/api-versioning/versioning.routes.ts +54 -0
package/src/modules/api-versioning/versioning.service.ts +189 -0
package/src/modules/audit/audit.repository.ts +206 -0
package/src/modules/audit/audit.service.ts +27 -59
package/src/modules/auth/auth.controller.ts +2 -2
package/src/modules/auth/auth.middleware.ts +3 -9
package/src/modules/auth/auth.routes.ts +10 -107
package/src/modules/auth/auth.service.ts +126 -23
package/src/modules/auth/index.ts +3 -4
package/src/modules/cache/cache.service.ts +367 -0
package/src/modules/cache/index.ts +10 -0
package/src/modules/cache/types.ts +44 -0
package/src/modules/email/email.service.ts +3 -10
package/src/modules/email/templates.ts +2 -8
package/src/modules/feature-flag/feature-flag.repository.ts +303 -0
package/src/modules/feature-flag/feature-flag.routes.ts +247 -0
package/src/modules/feature-flag/feature-flag.service.ts +566 -0
package/src/modules/feature-flag/index.ts +20 -0
package/src/modules/feature-flag/types.ts +192 -0
package/src/modules/i18n/i18n.middleware.ts +186 -0
package/src/modules/i18n/i18n.routes.ts +191 -0
package/src/modules/i18n/i18n.service.ts +456 -0
package/src/modules/i18n/index.ts +18 -0
package/src/modules/i18n/types.ts +118 -0
package/src/modules/media-processing/index.ts +17 -0
package/src/modules/media-processing/media-processing.routes.ts +111 -0
package/src/modules/media-processing/media-processing.service.ts +245 -0
package/src/modules/media-processing/types.ts +156 -0
package/src/modules/mfa/index.ts +20 -0
package/src/modules/mfa/mfa.repository.ts +206 -0
package/src/modules/mfa/mfa.routes.ts +595 -0
package/src/modules/mfa/mfa.service.ts +572 -0
package/src/modules/mfa/totp.ts +150 -0
package/src/modules/mfa/types.ts +57 -0
package/src/modules/notification/index.ts +20 -0
package/src/modules/notification/notification.repository.ts +356 -0
package/src/modules/notification/notification.service.ts +483 -0
package/src/modules/notification/types.ts +119 -0
package/src/modules/oauth/index.ts +20 -0
package/src/modules/oauth/oauth.repository.ts +219 -0
package/src/modules/oauth/oauth.routes.ts +446 -0
package/src/modules/oauth/oauth.service.ts +293 -0
package/src/modules/oauth/providers/apple.provider.ts +250 -0
package/src/modules/oauth/providers/facebook.provider.ts +181 -0
package/src/modules/oauth/providers/github.provider.ts +248 -0
package/src/modules/oauth/providers/google.provider.ts +189 -0
package/src/modules/oauth/providers/twitter.provider.ts +214 -0
package/src/modules/oauth/types.ts +94 -0
package/src/modules/payment/index.ts +19 -0
package/src/modules/payment/payment.repository.ts +733 -0
package/src/modules/payment/payment.routes.ts +390 -0
package/src/modules/payment/payment.service.ts +354 -0
package/src/modules/payment/providers/mobile-money.provider.ts +274 -0
package/src/modules/payment/providers/paypal.provider.ts +190 -0
package/src/modules/payment/providers/stripe.provider.ts +215 -0
package/src/modules/payment/types.ts +140 -0
package/src/modules/queue/cron.ts +438 -0
package/src/modules/queue/index.ts +87 -0
package/src/modules/queue/queue.routes.ts +600 -0
package/src/modules/queue/queue.service.ts +842 -0
package/src/modules/queue/types.ts +222 -0
package/src/modules/queue/workers.ts +366 -0
package/src/modules/rate-limit/index.ts +59 -0
package/src/modules/rate-limit/rate-limit.middleware.ts +134 -0
package/src/modules/rate-limit/rate-limit.routes.ts +269 -0
package/src/modules/rate-limit/rate-limit.service.ts +348 -0
package/src/modules/rate-limit/stores/memory.store.ts +165 -0
package/src/modules/rate-limit/stores/redis.store.ts +322 -0
package/src/modules/rate-limit/types.ts +153 -0
package/src/modules/search/adapters/elasticsearch.adapter.ts +326 -0
package/src/modules/search/adapters/meilisearch.adapter.ts +261 -0
package/src/modules/search/adapters/memory.adapter.ts +278 -0
package/src/modules/search/index.ts +21 -0
package/src/modules/search/search.service.ts +234 -0
package/src/modules/search/types.ts +214 -0
package/src/modules/security/index.ts +40 -0
package/src/modules/security/sanitize.ts +223 -0
package/src/modules/security/security-audit.service.ts +388 -0
package/src/modules/security/security.middleware.ts +398 -0
package/src/modules/session/index.ts +3 -0
package/src/modules/session/session.repository.ts +159 -0
package/src/modules/session/session.service.ts +340 -0
package/src/modules/session/types.ts +38 -0
package/src/modules/swagger/index.ts +7 -1
package/src/modules/swagger/schema-builder.ts +16 -4
package/src/modules/swagger/swagger.service.ts +9 -10
package/src/modules/swagger/types.ts +0 -2
package/src/modules/upload/index.ts +14 -0
package/src/modules/upload/types.ts +83 -0
package/src/modules/upload/upload.repository.ts +199 -0
package/src/modules/upload/upload.routes.ts +311 -0
package/src/modules/upload/upload.service.ts +448 -0
package/src/modules/user/index.ts +3 -3
package/src/modules/user/user.controller.ts +15 -9
package/src/modules/user/user.repository.ts +237 -113
package/src/modules/user/user.routes.ts +39 -164
package/src/modules/user/user.service.ts +4 -3
package/src/modules/validation/validator.ts +12 -17
package/src/modules/webhook/index.ts +91 -0
package/src/modules/webhook/retry.ts +196 -0
package/src/modules/webhook/signature.ts +135 -0
package/src/modules/webhook/types.ts +181 -0
package/src/modules/webhook/webhook.repository.ts +358 -0
package/src/modules/webhook/webhook.routes.ts +442 -0
package/src/modules/webhook/webhook.service.ts +457 -0
package/src/modules/websocket/features.ts +504 -0
package/src/modules/websocket/index.ts +106 -0
package/src/modules/websocket/middlewares.ts +298 -0
package/src/modules/websocket/types.ts +181 -0
package/src/modules/websocket/websocket.service.ts +692 -0
package/src/utils/errors.ts +7 -0
package/src/utils/pagination.ts +4 -1
package/tests/helpers/db-check.ts +79 -0
package/tests/integration/auth-redis.test.ts +94 -0
package/tests/integration/cache-redis.test.ts +387 -0
package/tests/integration/mongoose-repositories.test.ts +410 -0
package/tests/integration/payment-prisma.test.ts +637 -0
package/tests/integration/queue-bullmq.test.ts +417 -0
package/tests/integration/user-prisma.test.ts +441 -0
package/tests/integration/websocket-socketio.test.ts +552 -0
package/tests/setup.ts +11 -9
package/vitest.config.ts +3 -8
package/npm-cache/_cacache/content-v2/sha512/1c/d0/03440d500a0487621aad1d6402978340698976602046db8e24fa03c01ee6c022c69b0582f969042d9442ee876ac35c038e960dd427d1e622fa24b8eb7dba +0 -0
package/npm-cache/_cacache/content-v2/sha512/42/55/28b493ca491833e5aab0e9c3108d29ab3f36c248ca88f45d4630674fce9130959e56ae308797ac2b6328fa7f09a610b9550ed09cb971d039876d293fc69d +0 -0
package/npm-cache/_cacache/content-v2/sha512/e0/12/f360dc9315ee5f17844a0c8c233ee6bf7c30837c4a02ea0d56c61c7f7ab21c0e958e50ed2c57c59f983c762b93056778c9009b2398ffc26def0183999b13 +0 -0
package/npm-cache/_cacache/content-v2/sha512/ed/b0/fae1161902898f4c913c67d7f6cdf6be0665aec3b389b9c4f4f0a101ca1da59badf1b59c4e0030f5223023b8d63cfe501c46a32c20c895d4fb3f11ca2232 +0 -0
package/npm-cache/_cacache/index-v5/58/94/c2cba79e0f16b4c10e95a87e32255741149e8222cc314a476aab67c39cc0 +0 -5

package/src/modules/mfa/mfa.routes.ts ADDED Viewed

@@ -0,0 +1,595 @@
+import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
+import type { AuthService } from '../auth/auth.service.js';
+import { createAuthMiddleware } from '../auth/auth.middleware.js';
+import { commonResponses } from '../swagger/index.js';
+import { getMFAService } from './mfa.service.js';
+import type { MFAMethod } from './types.js';
+const mfaTag = 'MFA';
+export function registerMFARoutes(app: FastifyInstance, authService: AuthService): void {
+  const authenticate = createAuthMiddleware(authService);
+  const mfaService = getMFAService();
+  // Get MFA status
+  app.get(
+    '/auth/mfa/status',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Get MFA status for current user',
+        security: [{ bearerAuth: [] }],
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: {
+                type: 'object',
+                properties: {
+                  enabled: { type: 'boolean' },
+                  methods: {
+                    type: 'array',
+                    items: { type: 'string', enum: ['totp', 'sms', 'email', 'backup_codes'] },
+                  },
+                  totpEnabled: { type: 'boolean' },
+                  smsEnabled: { type: 'boolean' },
+                  emailEnabled: { type: 'boolean' },
+                  backupCodesRemaining: { type: 'number' },
+                },
+              },
+            },
+          },
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const userMFA = await mfaService.getUserMFA(user.id);
+      return reply.send({
+        success: true,
+        data: {
+          enabled: userMFA?.enabled || false,
+          methods: userMFA?.methods || [],
+          totpEnabled: userMFA?.totpVerified || false,
+          smsEnabled: userMFA?.phoneVerified || false,
+          emailEnabled: userMFA?.emailVerified || false,
+          backupCodesRemaining: mfaService.getRemainingBackupCodes(user.id),
+        },
+      });
+    }
+  );
+  // Setup TOTP (Google Authenticator, etc.)
+  app.post(
+    '/auth/mfa/totp/setup',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Setup TOTP (Google Authenticator)',
+        description: 'Generates a secret and QR code for TOTP setup',
+        security: [{ bearerAuth: [] }],
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: {
+                type: 'object',
+                properties: {
+                  qrCode: { type: 'string', description: 'URL to QR code image' },
+                  manualEntry: { type: 'string', description: 'Manual entry key' },
+                  secret: { type: 'string', description: 'Base32 secret (keep secure)' },
+                },
+              },
+            },
+          },
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string; email: string } }).user;
+      const setup = await mfaService.setupTOTP(user.id, user.email);
+      return reply.send({
+        success: true,
+        data: {
+          qrCode: setup.qrCode,
+          manualEntry: setup.manualEntry,
+          secret: setup.secret,
+        },
+      });
+    }
+  );
+  // Verify TOTP setup
+  app.post(
+    '/auth/mfa/totp/verify',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Verify TOTP setup',
+        description: 'Verify the first TOTP code to complete setup',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['code'],
+          properties: {
+            code: { type: 'string', minLength: 6, maxLength: 6, description: '6-digit TOTP code' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: {
+                type: 'object',
+                properties: {
+                  verified: { type: 'boolean' },
+                  backupCodes: {
+                    type: 'array',
+                    items: { type: 'string' },
+                    description: 'One-time backup codes (save these!)',
+                  },
+                },
+              },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { code } = request.body as { code: string };
+      const verified = await mfaService.verifyTOTPSetup(user.id, code);
+      if (!verified) {
+        return reply.status(400).send({
+          success: false,
+          message: 'Invalid TOTP code',
+        });
+      }
+      // Generate backup codes after successful TOTP setup
+      const backupCodes = await mfaService.generateBackupCodes(user.id);
+      return reply.send({
+        success: true,
+        data: {
+          verified: true,
+          backupCodes: backupCodes.codes,
+        },
+      });
+    }
+  );
+  // Disable TOTP
+  app.delete(
+    '/auth/mfa/totp',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Disable TOTP',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['code'],
+          properties: {
+            code: { type: 'string', minLength: 6, maxLength: 6 },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              message: { type: 'string' },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { code } = request.body as { code: string };
+      await mfaService.disableTOTP(user.id, code);
+      return reply.send({
+        success: true,
+        message: 'TOTP disabled successfully',
+      });
+    }
+  );
+  // Setup SMS MFA
+  app.post(
+    '/auth/mfa/sms/setup',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Setup SMS MFA',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['phoneNumber'],
+          properties: {
+            phoneNumber: { type: 'string', pattern: '^\\+[1-9]\\d{1,14}$' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              message: { type: 'string' },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { phoneNumber } = request.body as { phoneNumber: string };
+      await mfaService.setupSMS(user.id, phoneNumber);
+      return reply.send({
+        success: true,
+        message: 'Verification code sent to your phone',
+      });
+    }
+  );
+  // Verify SMS setup
+  app.post(
+    '/auth/mfa/sms/verify',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Verify SMS MFA setup',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['code'],
+          properties: {
+            code: { type: 'string', minLength: 6, maxLength: 6 },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: { type: 'object', properties: { verified: { type: 'boolean' } } },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { code } = request.body as { code: string };
+      const verified = await mfaService.verifySMSSetup(user.id, code);
+      return reply.send({
+        success: true,
+        data: { verified },
+      });
+    }
+  );
+  // Setup Email MFA
+  app.post(
+    '/auth/mfa/email/setup',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Setup Email MFA',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          properties: {
+            email: { type: 'string', format: 'email' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              message: { type: 'string' },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string; email: string } }).user;
+      const body = request.body as { email?: string };
+      const email = body.email || user.email;
+      await mfaService.setupEmail(user.id, email);
+      return reply.send({
+        success: true,
+        message: 'Verification code sent to your email',
+      });
+    }
+  );
+  // Verify Email setup
+  app.post(
+    '/auth/mfa/email/verify',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Verify Email MFA setup',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['code'],
+          properties: {
+            code: { type: 'string', minLength: 6, maxLength: 6 },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: { type: 'object', properties: { verified: { type: 'boolean' } } },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { code } = request.body as { code: string };
+      const verified = await mfaService.verifyEmailSetup(user.id, code);
+      return reply.send({
+        success: true,
+        data: { verified },
+      });
+    }
+  );
+  // Generate new backup codes
+  app.post(
+    '/auth/mfa/backup-codes/generate',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Generate new backup codes',
+        description: 'Generates new backup codes (invalidates old ones)',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['code'],
+          properties: {
+            code: { type: 'string', description: 'Current TOTP code or backup code' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: {
+                type: 'object',
+                properties: {
+                  codes: { type: 'array', items: { type: 'string' } },
+                  generatedAt: { type: 'string', format: 'date-time' },
+                },
+              },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { code } = request.body as { code: string };
+      // Verify current MFA first
+      const verifyResult = await mfaService.verifyChallenge(user.id, code);
+      if (!verifyResult.success) {
+        return reply.status(400).send({
+          success: false,
+          message: 'Invalid verification code',
+        });
+      }
+      const result = await mfaService.generateBackupCodes(user.id);
+      return reply.send({
+        success: true,
+        data: result,
+      });
+    }
+  );
+  // Verify MFA (for login flow)
+  app.post(
+    '/auth/mfa/verify',
+    {
+      schema: {
+        tags: [mfaTag],
+        summary: 'Verify MFA code',
+        description: 'Verify MFA code during login or sensitive operations',
+        body: {
+          type: 'object',
+          required: ['userId', 'code'],
+          properties: {
+            userId: { type: 'string' },
+            code: { type: 'string' },
+            method: { type: 'string', enum: ['totp', 'sms', 'email', 'backup_codes'] },
+            challengeId: { type: 'string' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: {
+                type: 'object',
+                properties: {
+                  verified: { type: 'boolean' },
+                  method: { type: 'string' },
+                  remainingAttempts: { type: 'number' },
+                  lockedUntil: { type: 'string', format: 'date-time' },
+                },
+              },
+            },
+          },
+          400: commonResponses.error,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const { userId, code, method, challengeId } = request.body as {
+        userId: string;
+        code: string;
+        method?: MFAMethod;
+        challengeId?: string;
+      };
+      const result = await mfaService.verifyChallenge(userId, code, method, challengeId);
+      return reply.send({
+        success: true,
+        data: {
+          verified: result.success,
+          method: result.method,
+          remainingAttempts: result.remainingAttempts,
+          lockedUntil: result.lockedUntil?.toISOString(),
+        },
+      });
+    }
+  );
+  // Request MFA challenge (for SMS/email)
+  app.post(
+    '/auth/mfa/challenge',
+    {
+      schema: {
+        tags: [mfaTag],
+        summary: 'Request MFA challenge',
+        description: 'Request a new SMS or email verification code',
+        body: {
+          type: 'object',
+          required: ['userId', 'method'],
+          properties: {
+            userId: { type: 'string' },
+            method: { type: 'string', enum: ['sms', 'email'] },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              data: {
+                type: 'object',
+                properties: {
+                  challengeId: { type: 'string' },
+                  expiresAt: { type: 'string', format: 'date-time' },
+                },
+              },
+            },
+          },
+          400: commonResponses.error,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const { userId, method } = request.body as { userId: string; method: MFAMethod };
+      const challenge = await mfaService.createChallenge(userId, method);
+      return reply.send({
+        success: true,
+        data: {
+          challengeId: challenge.id,
+          expiresAt: challenge.expiresAt.toISOString(),
+        },
+      });
+    }
+  );
+  // Disable all MFA
+  app.delete(
+    '/auth/mfa',
+    {
+      preHandler: [authenticate],
+      schema: {
+        tags: [mfaTag],
+        summary: 'Disable all MFA methods',
+        security: [{ bearerAuth: [] }],
+        body: {
+          type: 'object',
+          required: ['password'],
+          properties: {
+            password: { type: 'string' },
+          },
+        },
+        response: {
+          200: {
+            type: 'object',
+            properties: {
+              success: { type: 'boolean' },
+              message: { type: 'string' },
+            },
+          },
+          400: commonResponses.error,
+          401: commonResponses.unauthorized,
+        },
+      },
+    },
+    async (request: FastifyRequest, reply: FastifyReply) => {
+      const user = (request as FastifyRequest & { user: { id: string } }).user;
+      const { password } = request.body as { password: string };
+      // Verify password before disabling MFA
+      const isValid = await authService.verifyPasswordById(user.id, password);
+      if (!isValid) {
+        return reply.status(400).send({
+          success: false,
+          message: 'Invalid password',
+        });
+      }
+      await mfaService.disableAllMFA(user.id);
+      return reply.send({
+        success: true,
+        message: 'All MFA methods disabled',
+      });
+    }
+  );
+}