TOTP google authenticator implemented properly well

src/controllers/auth.rs

@@ -13,6 +13,13 @@ use time::Duration as TimeDuration;
 
 pub static EMAIL_DOMAIN_RE: OnceLock<Regex> = OnceLock::new();
 pub(crate) const AUTH_COOKIE: &str = "auth_token";
+/// Short-lived cookie that carries a half-authenticated session between the
+/// password step and the TOTP step. It is a *separate* name from `auth_token`
+/// on purpose: the auth guards only read `auth_token`, so this cookie can never
+/// authenticate a request on its own — it only proves the password step passed.
+pub(crate) const TOTP_PENDING_COOKIE: &str = "totp_pending";
+/// How long the user has to enter their 2FA code after the password step.
+pub(crate) const TOTP_PENDING_TTL_SECS: u64 = 300;
 
 fn get_allow_email_domain_re() -> &'static Regex {
     EMAIL_DOMAIN_RE.get_or_init(|| {
@@ -38,6 +45,24 @@ pub(crate) fn clear_auth_cookie() -> Cookie<'static> {
         .build()
 }
 
+pub(crate) fn totp_pending_cookie(token: &str, max_age_seconds: u64) -> Cookie<'static> {
+    Cookie::build((TOTP_PENDING_COOKIE, token.to_string()))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(max_age_seconds as i64))
+        .build()
+}
+
+pub(crate) fn clear_totp_pending_cookie() -> Cookie<'static> {
+    Cookie::build((TOTP_PENDING_COOKIE, ""))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(0))
+        .build()
+}
+
 #[derive(Debug, Deserialize, Serialize)]
 pub struct ForgotParams {
     pub email: String,