feat(ui-react): add two-factor authentication (TOTP) support

Implements TOTP-based MFA with authenticator app support:
  - MFA login page with 6-digit code input and paste support
  - MFA recovery flow using backup codes
  - Profile page integration for MFA setup (QR code, recovery codes)
  - Auth flow updates to handle MFA token and programmatic navigation
  - API interceptor support for MFA challenges (401 with x-mfa-token)

Dependencies:
  - qrcode.react for QR code generation
  - otpauth for TOTP secret URI formatting

Author: luannmoreira

ui-react/apps/admin/src/App.tsx

@@ -8,6 +8,9 @@ import {
 import Login from "./pages/Login";
 import Setup from "./pages/Setup";
 import AppLayout from "./components/layout/AppLayout";
+
+const MfaLogin = lazy(() => import("./pages/MfaLogin"));
+const MfaRecover = lazy(() => import("./pages/MfaRecover"));
 import LoginLayout from "./components/layout/LoginLayout";
 import ConnectivityGuard from "./components/common/ConnectivityGuard";
 import ProtectedRoute from "./components/common/ProtectedRoute";
@@ -38,6 +41,8 @@ export default function App() {
           <Route element={<SetupGuard />}>
             <Route element={<LoginLayout />}>
               <Route path="/login" element={<Login />} />
+              <Route path="/mfa-login" element={<MfaLogin />} />
+              <Route path="/mfa-recover" element={<MfaRecover />} />
               <Route path="/setup" element={<Setup />} />
             </Route>
             <Route element={<ProtectedRoute />}>

ui-react/apps/admin/src/api/auth.ts

@@ -21,6 +21,7 @@ interface UserResponse {
   email: string;
   recovery_email: string;
   tenant: string;
+  mfa?: boolean;
 }
 
 export async function login(payload: LoginPayload): Promise<LoginResponse> {

ui-react/apps/admin/src/api/interceptors.ts

@@ -62,6 +62,16 @@ export function setupInterceptors(instance: AxiosInstance) {
     },
     (error: AxiosError) => {
       if (error.response?.status === 401) {
+        // Check for MFA token in response headers
+        const mfaToken = error.response.headers["x-mfa-token"];
+
+        if (mfaToken) {
+          // MFA required - store token, let Login component handle navigation
+          useAuthStore.getState().setMfaToken(mfaToken);
+          return Promise.reject(error);
+        }
+
+        // Regular 401 - logout
         useAuthStore.getState().logout();
         window.location.href = "/v2/ui/login";
       } else if (isApiDown(error)) {

ui-react/apps/admin/src/api/mfa.ts

@@ -0,0 +1,70 @@
+import apiClient from "./client";
+import type {
+  MfaGenerateResponse,
+  MfaEnableRequest,
+  MfaAuthRequest,
+  MfaDisableRequest,
+  MfaRecoverRequest,
+  MfaResetRequest,
+  LoginResponse,
+} from "../types/mfa";
+
+// Generate QR code and recovery codes
+export async function generateMfa(): Promise<MfaGenerateResponse> {
+  const { data } = await apiClient.get<MfaGenerateResponse>(
+    "/api/user/mfa/generate"
+  );
+  return data;
+}
+
+// Enable MFA with verification
+export async function enableMfa(payload: MfaEnableRequest): Promise<void> {
+  await apiClient.put("/api/user/mfa/enable", payload);
+}
+
+// Validate MFA code after password login
+export async function validateMfa(
+  payload: MfaAuthRequest
+): Promise<LoginResponse> {
+  const { data } = await apiClient.post<LoginResponse>(
+    "/api/user/mfa/auth",
+    payload
+  );
+  return data;
+}
+
+// Disable MFA
+export async function disableMfa(payload: MfaDisableRequest): Promise<void> {
+  await apiClient.put("/api/user/mfa/disable", payload);
+}
+
+// Recover account with recovery code
+export async function recoverMfa(
+  payload: MfaRecoverRequest
+): Promise<{ data: LoginResponse; expiresAt: string }> {
+  const response = await apiClient.post<LoginResponse>(
+    "/api/user/mfa/recover",
+    payload
+  );
+  return {
+    data: response.data,
+    expiresAt: response.headers["x-expires-at"] || "",
+  };
+}
+
+// Request MFA reset via email
+export async function requestMfaReset(identifier: string): Promise<void> {
+  await apiClient.post("/api/user/mfa/reset", { identifier });
+}
+
+// Complete MFA reset with email codes
+export async function completeMfaReset(
+  userId: string,
+  payload: MfaResetRequest
+): Promise<LoginResponse> {
+  const { data } = await apiClient.put<LoginResponse>(
+    `/api/user/mfa/reset/${userId}`,
+    payload
+  );
+  return data;
+}

ui-react/apps/admin/src/components/mfa/MfaDisableDialog.tsx

@@ -0,0 +1,226 @@
+import { useState, FormEvent, useRef, KeyboardEvent } from "react";
+import { ExclamationTriangleIcon } from "@heroicons/react/24/outline";
+import { disableMfa } from "../../api/mfa";
+
+interface MfaDisableDialogProps {
+  open: boolean;
+  onClose: () => void;
+  onSuccess: () => void;
+}
+
+type Mode = "totp" | "recovery";
+
+export default function MfaDisableDialog({
+  open,
+  onClose,
+  onSuccess,
+}: MfaDisableDialogProps) {
+  const [mode, setMode] = useState<Mode>("totp");
+  const [code, setCode] = useState(["", "", "", "", "", ""]);
+  const [recoveryCode, setRecoveryCode] = useState("");
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState("");
+  const inputRefs = useRef<(HTMLInputElement | null)[]>([]);
+
+  if (!open) return null;
+
+  const handleCodeChange = (index: number, value: string) => {
+    if (value && !/^\d$/.test(value)) return;
+
+    const newCode = [...code];
+    newCode[index] = value;
+    setCode(newCode);
+
+    if (value && index < 5) {
+      inputRefs.current[index + 1]?.focus();
+    }
+  };
+
+  const handleCodeKeyDown = (index: number, e: KeyboardEvent<HTMLInputElement>) => {
+    if (e.key === "Backspace") {
+      if (!code[index] && index > 0) {
+        const newCode = [...code];
+        newCode[index - 1] = "";
+        setCode(newCode);
+        inputRefs.current[index - 1]?.focus();
+      } else {
+        const newCode = [...code];
+        newCode[index] = "";
+        setCode(newCode);
+      }
+    }
+  };
+
+  const handleSubmit = async (e: FormEvent) => {
+    e.preventDefault();
+    setError("");
+    setSubmitting(true);
+
+    try {
+      if (mode === "totp") {
+        const totpCode = code.join("");
+        if (totpCode.length !== 6) return;
+        await disableMfa({ code: totpCode });
+      } else {
+        if (!recoveryCode.trim()) return;
+        await disableMfa({ recovery_code: recoveryCode });
+      }
+
+      onSuccess();
+      onClose();
+      // Reset state
+      setTimeout(() => {
+        setMode("totp");
+        setCode(["", "", "", "", "", ""]);
+        setRecoveryCode("");
+        setError("");
+      }, 300);
+    } catch {
+      setError(
+        mode === "totp"
+          ? "Invalid verification code"
+          : "Invalid recovery code"
+      );
+      if (mode === "totp") {
+        setCode(["", "", "", "", "", ""]);
+        inputRefs.current[0]?.focus();
+      }
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  const isComplete =
+    mode === "totp"
+      ? code.every((digit) => digit !== "")
+      : recoveryCode.trim() !== "";
+
+  return (
+    <div className="fixed inset-0 z-[70] flex items-center justify-center">
+      <div
+        className="absolute inset-0 bg-black/60 backdrop-blur-sm"
+        onClick={onClose}
+      />
+      <div className="relative bg-surface border border-border rounded-2xl w-full max-w-sm mx-4 p-6 shadow-2xl animate-slide-up">
+        {/* Header */}
+        <div className="flex items-start gap-3 mb-4">
+          <div className="flex-shrink-0 w-10 h-10 rounded-lg bg-accent-red/15 border border-accent-red/25 flex items-center justify-center">
+            <ExclamationTriangleIcon
+              className="w-5 h-5 text-accent-red"
+              strokeWidth={2}
+            />
+          </div>
+          <div>
+            <h2 className="text-base font-semibold text-text-primary">
+              Disable MFA
+            </h2>
+            <p className="text-xs text-text-muted mt-0.5">
+              This will reduce your account security
+            </p>
+          </div>
+        </div>
+
+        <form onSubmit={handleSubmit} className="space-y-4">
+          {error && (
+            <div className="flex items-center gap-2 bg-accent-red/8 border border-accent-red/20 text-accent-red px-3.5 py-2.5 rounded-md text-xs font-mono">
+              <ExclamationTriangleIcon
+                className="w-3.5 h-3.5 shrink-0"
+                strokeWidth={2}
+              />
+              {error}
+            </div>
+          )}
+
+          {mode === "totp" ? (
+            <>
+              <div>
+                <label className="block text-2xs font-mono font-semibold uppercase tracking-label text-text-muted mb-3 text-center">
+                  Verification Code
+                </label>
+                <div className="flex gap-2 justify-center">
+                  {code.map((digit, index) => (
+                    <input
+                      key={index}
+                      ref={(el) => (inputRefs.current[index] = el)}
+                      type="text"
+                      inputMode="numeric"
+                      maxLength={1}
+                      value={digit}
+                      onChange={(e) => handleCodeChange(index, e.target.value)}
+                      onKeyDown={(e) => handleCodeKeyDown(index, e)}
+                      autoFocus={index === 0}
+                      className="w-10 h-10 text-center text-base font-mono bg-background border border-border rounded-lg text-text-primary focus:outline-none focus:border-accent-red/50 focus:ring-1 focus:ring-accent-red/20 transition-all"
+                    />
+                  ))}
+                </div>
+              </div>
+
+              <div className="text-center">
+                <button
+                  type="button"
+                  onClick={() => setMode("recovery")}
+                  className="text-xs text-text-muted hover:text-text-secondary transition-colors"
+                >
+                  Use recovery code instead
+                </button>
+              </div>
+            </>
+          ) : (
+            <>
+              <div>
+                <label className="block text-2xs font-mono font-semibold uppercase tracking-label text-text-muted mb-2">
+                  Recovery Code
+                </label>
+                <input
+                  type="text"
+                  value={recoveryCode}
+                  onChange={(e) => setRecoveryCode(e.target.value)}
+                  autoFocus
+                  className="w-full px-4 py-2.5 bg-background border border-border rounded-lg text-sm text-text-primary font-mono placeholder:text-text-secondary focus:outline-none focus:border-accent-red/50 focus:ring-1 focus:ring-accent-red/20 transition-all"
+                  placeholder="Enter recovery code"
+                />
+              </div>
+
+              <div className="text-center space-y-2">
+                <button
+                  type="button"
+                  onClick={() => setMode("totp")}
+                  className="block w-full text-xs text-text-muted hover:text-text-secondary transition-colors"
+                >
+                  ← Use authenticator code
+                </button>
+                <a
+                  href="mailto:support@shellhub.io"
+                  className="block text-xs text-text-muted hover:text-text-secondary transition-colors"
+                >
+                  Request email reset
+                </a>
+              </div>
+            </>
+          )}
+
+          {/* Actions */}
+          <div className="flex justify-end gap-2 pt-2">
+            <button
+              type="button"
+              onClick={onClose}
+              className="px-4 py-2.5 text-sm font-medium text-text-secondary hover:text-text-primary rounded-lg hover:bg-hover-subtle transition-colors"
+            >
+              Cancel
+            </button>
+            <button
+              type="submit"
+              disabled={submitting || !isComplete}
+              className="px-5 py-2.5 bg-accent-red/90 hover:bg-accent-red text-white rounded-lg text-sm font-semibold disabled:opacity-dim disabled:cursor-not-allowed transition-all flex items-center gap-2"
+            >
+              {submitting && (
+                <span className="w-4 h-4 border-2 border-white/30 border-t-white rounded-full animate-spin" />
+              )}
+              Disable MFA
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+}