feat(auth): add TOTP two-factor authentication across all apps

Uses Better Auth's built-in twoFactor plugin for TOTP + backup codes: Backend (mana-core-auth): - twoFactor plugin in better-auth.config.ts (issuer: ManaCore) - twoFactorEnabled field on users table, backupCodes as encrypted text - 2FA redirect detection in signIn flow - Passthrough controller forwards /two-factor/* to Better Auth - Security event types for 2FA operations Client (shared-auth): - enableTwoFactor, disableTwoFactor, verifyTwoFactor, verifyBackupCode, generateBackupCodes methods with session-to-token exchange UI (shared-auth-ui): - LoginPage: 2FA code input view after password login, backup code toggle - TwoFactorSetup: settings component with enable/disable/QR code/backup codes App integration: - All 19 auth stores have verifyTwoFactor() and verifyBackupCode() - All 19 login pages pass onVerifyTwoFactor and onVerifyBackupCode callbacks - ManaCore settings page has TwoFactorSetup component Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-26 07:04:38 +02:00 · 2026-03-26 19:55:09 +01:00 · 2026-03-26 19:55:09 +01:00 · f5a9edcfb6
commit f5a9edcfb6
parent 90e6135637
49 changed files with 1800 additions and 169 deletions
--- a/apps/calendar/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/calendar/apps/web/src/lib/stores/auth.svelte.ts
@ -122,6 +122,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/calendar/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/calendar/apps/web/src/routes/(auth)/login/+page.svelte
@ -58,6 +58,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/chat/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/chat/apps/web/src/lib/stores/auth.svelte.ts
@ -122,6 +122,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/chat/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/chat/apps/web/src/routes/(auth)/login/+page.svelte
@ -65,6 +65,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/citycorners/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/citycorners/apps/web/src/lib/stores/auth.svelte.ts
@ -105,6 +105,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/citycorners/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/citycorners/apps/web/src/routes/(auth)/login/+page.svelte
@ -49,6 +49,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/clock/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/clock/apps/web/src/lib/stores/auth.svelte.ts
@ -122,6 +122,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/clock/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/clock/apps/web/src/routes/(auth)/login/+page.svelte
@ -56,6 +56,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/contacts/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/contacts/apps/web/src/lib/stores/auth.svelte.ts
@ -122,6 +122,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/contacts/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/contacts/apps/web/src/routes/(auth)/login/+page.svelte
@ -55,6 +55,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/context/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/context/apps/web/src/lib/stores/auth.svelte.ts
@ -106,6 +106,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/context/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/context/apps/web/src/routes/(auth)/login/+page.svelte
@ -50,6 +50,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/manacore/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/manacore/apps/web/src/lib/stores/auth.svelte.ts
@ -138,6 +138,46 @@ export const authStore = {
 		}
 	},

+	async enableTwoFactor(password: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available' };
+		return authService.enableTwoFactor(password);
+	},
+
+	async disableTwoFactor(password: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available' };
+		return authService.disableTwoFactor(password);
+	},
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async generateBackupCodes(password: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available' };
+		return authService.generateBackupCodes(password);
+	},
+
 	async registerPasskey(friendlyName?: string) {
 		const authService = getAuthService();
 		if (!authService) return { success: false, error: 'Auth not available' };
--- a/apps/manacore/apps/web/src/routes/(app)/settings/+page.svelte
+++ b/apps/manacore/apps/web/src/routes/(app)/settings/+page.svelte
@ -1,7 +1,7 @@
 <script lang="ts">
 	import { onMount } from 'svelte';
 	import { Button, Input, Card, PageHeader, GlobalSettingsSection } from '@manacore/shared-ui';
-	import { PasskeyManager } from '@manacore/shared-auth-ui';
+	import { PasskeyManager, TwoFactorSetup } from '@manacore/shared-auth-ui';
 	import { authStore } from '$lib/stores/auth.svelte';
 	import { creditsService } from '$lib/api/credits';
 	import type { CreditBalance } from '$lib/api/credits';
@ -294,6 +294,19 @@
 				</div>
 			</Card>

+			<!-- Two-Factor Authentication Section -->
+			<Card>
+				<div class="p-6">
+					<TwoFactorSetup
+						enabled={!!authStore.user?.twoFactorEnabled}
+						onEnable={(password) => authStore.enableTwoFactor(password)}
+						onDisable={(password) => authStore.disableTwoFactor(password)}
+						onGenerateBackupCodes={(password) => authStore.generateBackupCodes(password)}
+						primaryColor="#6366f1"
+					/>
+				</div>
+			</Card>
+
 			<!-- My Data & Danger Zone -->
 			<Card>
 				<div class="p-6">
--- a/apps/manacore/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/manacore/apps/web/src/routes/(auth)/login/+page.svelte
@ -34,6 +34,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect="/dashboard"
 	registerPath="/register"
--- a/apps/manadeck/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/manadeck/apps/web/src/lib/stores/auth.svelte.ts
@ -93,6 +93,24 @@ export const authStore = {
 		return true;
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = toManaUser(userData);
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = toManaUser(userData);
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		return authService.isPasskeyAvailable();
 	},
--- a/apps/manadeck/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/manadeck/apps/web/src/routes/(auth)/login/+page.svelte
@ -34,6 +34,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect="/decks"
 	registerPath="/register"
--- a/apps/mukke/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/mukke/apps/web/src/lib/stores/auth.svelte.ts
@ -107,6 +107,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/mukke/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/mukke/apps/web/src/routes/(auth)/login/+page.svelte
@ -52,6 +52,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/nutriphi/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/nutriphi/apps/web/src/lib/stores/auth.svelte.ts
@ -120,6 +120,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/nutriphi/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/nutriphi/apps/web/src/routes/(auth)/login/+page.svelte
@ -54,6 +54,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/photos/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/photos/apps/web/src/lib/stores/auth.svelte.ts
@ -109,6 +109,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/photos/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/photos/apps/web/src/routes/(auth)/login/+page.svelte
@ -45,6 +45,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/picture/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/picture/apps/web/src/lib/stores/auth.svelte.ts
@ -120,6 +120,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/picture/apps/web/src/routes/auth/login/+page.svelte
+++ b/apps/picture/apps/web/src/routes/auth/login/+page.svelte
@ -38,6 +38,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect="/app/gallery"
 	registerPath="/auth/signup"
--- a/apps/planta/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/planta/apps/web/src/lib/stores/auth.svelte.ts
@ -115,6 +115,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/planta/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/planta/apps/web/src/routes/(auth)/login/+page.svelte
@ -54,6 +54,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/playground/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/playground/apps/web/src/lib/stores/auth.svelte.ts
@ -84,6 +84,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/playground/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/playground/apps/web/src/routes/(auth)/login/+page.svelte
@ -36,6 +36,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/presi/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/presi/apps/web/src/lib/stores/auth.svelte.ts
@ -119,6 +119,29 @@ export const auth = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/presi/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/presi/apps/web/src/routes/(auth)/login/+page.svelte
@ -42,6 +42,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={auth.isPasskeyAvailable()}
 	onSignInWithPasskey={() => auth.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => auth.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => auth.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/questions/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/questions/apps/web/src/lib/stores/auth.svelte.ts
@ -113,6 +113,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/questions/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/questions/apps/web/src/routes/(auth)/login/+page.svelte
@ -60,6 +60,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/skilltree/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/skilltree/apps/web/src/lib/stores/auth.svelte.ts
@ -117,6 +117,28 @@ export const authStore = {
 		}
 	},

+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/skilltree/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/skilltree/apps/web/src/routes/(auth)/login/+page.svelte
@ -60,6 +60,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/storage/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/storage/apps/web/src/lib/stores/auth.svelte.ts
@ -118,6 +118,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/todo/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/todo/apps/web/src/lib/stores/auth.svelte.ts
@ -133,6 +133,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/todo/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/todo/apps/web/src/routes/(auth)/login/+page.svelte
@ -57,6 +57,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"
--- a/apps/zitare/apps/web/src/lib/stores/auth.svelte.ts
+++ b/apps/zitare/apps/web/src/lib/stores/auth.svelte.ts
@ -122,6 +122,29 @@ export const authStore = {
 	/**
 	 * Check if passkeys are available in this browser
 	 */
+
+	async verifyTwoFactor(code: string, trustDevice?: boolean) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyTwoFactor(code, trustDevice);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
+	async verifyBackupCode(code: string) {
+		const authService = getAuthService();
+		if (!authService) return { success: false, error: 'Auth not available on server' };
+		const result = await authService.verifyBackupCode(code);
+		if (result.success) {
+			const userData = await authService.getUserFromToken();
+			user = userData;
+		}
+		return result;
+	},
+
 	isPasskeyAvailable(): boolean {
 		const authService = getAuthService();
 		if (!authService) return false;
--- a/apps/zitare/apps/web/src/routes/(auth)/login/+page.svelte
+++ b/apps/zitare/apps/web/src/routes/(auth)/login/+page.svelte
@ -55,6 +55,8 @@
 	onResendVerification={handleResendVerification}
 	passkeyAvailable={authStore.isPasskeyAvailable()}
 	onSignInWithPasskey={() => authStore.signInWithPasskey()}
+	onVerifyTwoFactor={(code, trust) => authStore.verifyTwoFactor(code, trust)}
+	onVerifyBackupCode={(code) => authStore.verifyBackupCode(code)}
 	{goto}
 	successRedirect={redirectTo}
 	registerPath="/register"