docs(mfa): document the in-app MFA recovery endpoints in the OpenAPI spec#6665
Conversation
The cloud backend now returns an opaque token from POST /user/mfa/reset and accepts that token (or a raw user ID) on the completion endpoint, so the published contract needs to match. The reset-request 200 response now documents the returned `token`, marked required since a success always carries it. The completion endpoint's `user-id` path segment is documented as accepting either the opaque token from the in-app flow or the raw user ID from the emailed reset link, and its operation description reflects that dual behavior. Fixes: shellhub-io/team#87
The cloud DisableMFA endpoint now accepts the two codes emailed by requestResetMFA, so the published contract needs to match. The mfaDisable request schema gains optional `main_email_code` and `recovery_email_code` fields, mirroring the mfaReset wording. They are left optional, not required: the endpoint takes one of a TOTP code, a recovery code, or the two email codes, so marking them required would misdescribe the TOTP and recovery-code paths. The operation description is updated to spell out the three options. Fixes: shellhub-io/team#88
|
Claude finished @geovannewashington's task in 1m 43s —— View job Code Review CompleteReviewed 4 files across code quality, security, testing, language patterns, and architecture — no new issues found. The code looks good as-is. I verified the spec against the cloud backend (
All four YAML files are well-formed and internally consistent. If you push additional changes and want a new review, tag |
The reset-request OpenAPI change adds a `token` to the response, so the
generated SDK now types requestResetMfa as returning `{ token: string }`
instead of an empty body. The mfaResetStore test still mocked the old
empty (`null`) shape, which failed `tsc -b` in CI.
Update the requestResetMfa mocks to resolve with `{ token }`. This is a
type-only fix to keep the build green; the store still stores the typed
identifier, so the in-app reset behaviour is unchanged and its re-wire to
actually use the token remains a follow-up.
|
/review |
|
Claude finished @otavio's task in 51s —— View job Code Review CompleteReviewed 5 files across code quality, security, testing, language patterns, and architecture — no new issues found. The code looks good as-is. I verified the spec changes are well-formed and internally consistent, and cross-checked them against the frontend touched by this PR:
All edited YAML files parse cleanly and no runtime behaviour changes. If you push additional changes and want a new review, tag |
What
Spec + a forced test fix. Updates the OpenAPI spec to match the cloud
backend changes for in-app MFA recovery, plus one frontend test fix the
spec change forces (the generated SDK is rebuilt from the spec at build
time, so the new
tokenfield breaks a stale test mock). No runtimebehaviour changes. Commits on this branch:
docs(mfa): document the in-app MFA reset token in the OpenAPI spec(team#87)docs(mfa): document the emailed reset codes on disableMFA(team#88)test(mfa): update mfaResetStore mocks for the new reset token typeWhy
The backend gained a new response field and now accepts new request inputs.
Leaving the spec unchanged would let it lie about the API: generated clients
and contract tests would not know about the
tokenresponse or the newdisable inputs.
Changes
reset flow
POST /api/user/mfa/reset: the200response now documents thetokenbody (marked
required, since a success always returns it).PUT /api/user/mfa/reset/{user-id}: theuser-idpath param isdocumented as accepting either the opaque token (in-app flow) or the raw
user ID (emailed-link flow), and the operation description reflects that.
Also fixed an auto-generated
POST->PUTin the description.Build fix (SDK ripple)
src/client/, gitignored, rebuilt from thespec) now types
requestResetMfaas returning{ token }. Updated themfaResetStoretest mocks to match, keepingtsc -bgreen. Type-only;the store's actual re-wire to use the token stays in the frontend
follow-up (see below)
disable flow
PUT /api/user/mfa/disable: themfaDisablerequest schema gains optionalmain_email_code/recovery_email_codefields, mirroringmfaReset.They are optional, not required: the endpoint takes one of a TOTP code, a
recovery code, or the two email codes, so marking them required would
misdescribe the other paths. The operation description lists the three
options.
Testing
it runs in a container rather than on the host. Worth running in CI or
before merge if there is a spec-lint target.
Companion PR
shellhub-io/cloud#2430
The backend implementation lives in
shellhub-io/cloud(branchfeat/mfa-inapp-reset-disable): the opaque reset token and the emailed-codeDisableMFAsupport this spec documents.Follow-up
The frontend re-wire in
shellhub/ui/(restore the reset-verify page andthe disable-via-email-codes screen) is still required for these flows to be
usable in the product. Tracked with the backend PR.
Refs: shellhub-io/team#87
Refs: shellhub-io/team#88