Complete backend specification for the eToro 2FA NestJS microservice
src/
โโโ auth-2fa/
โ โโโ auth-2fa.module.ts # Auth2FAModule
โ โโโ controllers/
โ โ โโโ totp.controller.ts # TOTP endpoints
โ โ โโโ webauthn.controller.ts # WebAuthn endpoints
โ โ โโโ backup.controller.ts # Backup codes
โ โ โโโ recovery.controller.ts # Account recovery
โ โโโ services/
โ โ โโโ totp.service.ts # TOTP logic (otplib)
โ โ โโโ webauthn.service.ts # WebAuthn (@simplewebauthn/server)
โ โ โโโ backup-code.service.ts # Backup code generation/verification
โ โ โโโ recovery.service.ts # Account recovery flow
โ โ โโโ vault.service.ts # Vault/HSM encryption client
โ โ โโโ audit.service.ts # Audit logging
โ โโโ guards/
โ โ โโโ two-fa.guard.ts # Require 2FA on protected routes
โ โ โโโ two-fa-setup.guard.ts # Ensure user has active session
โ โโโ decorators/
โ โ โโโ require-2fa.decorator.ts
โ โโโ dto/
โ โ โโโ totp-setup.dto.ts
โ โ โโโ totp-verify.dto.ts
โ โ โโโ webauthn-register.dto.ts
โ โ โโโ webauthn-auth.dto.ts
โ โ โโโ backup-verify.dto.ts
โ โโโ entities/
โ โ โโโ user-2fa-settings.entity.ts
โ โ โโโ totp-secret.entity.ts
โ โ โโโ webauthn-credential.entity.ts
โ โ โโโ backup-code.entity.ts
โ โ โโโ audit-log.entity.ts
โ โโโ constants/
โ โโโ 2fa.constants.ts
โโโ app.module.ts
โโโ main.ts// auth-2fa.module.ts
@Module({
imports: [
TypeOrmModule.forFeature([
User2FASettings, TotpSecret,
WebAuthnCredential, BackupCode, AuditLog
]),
ThrottlerModule.forRoot({ ttl: 300, limit: 5 }),
VaultModule,
RedisModule,
],
controllers: [
TotpController, WebAuthnController,
BackupController, RecoveryController
],
providers: [
TotpService, WebAuthnService, BackupCodeService,
RecoveryService, VaultService, AuditService,
TwoFAGuard, TwoFASetupGuard
],
exports: [TwoFAGuard, TotpService, WebAuthnService]
})
export class Auth2FAModule {}| Column | Type | Constraints | Description |
|---|---|---|---|
| id | UUID | PK, DEFAULT gen_random_uuid() | Primary key |
| user_id | BIGINT | UNIQUE, NOT NULL, FK โ users.id | eToro user ID |
| is_enabled | BOOLEAN | DEFAULT false | 2FA active? |
| primary_method | ENUM('totp','webauthn','sms') | NULLABLE | Primary 2FA method |
| totp_enabled | BOOLEAN | DEFAULT false | TOTP active |
| webauthn_enabled | BOOLEAN | DEFAULT false | WebAuthn active |
| backup_codes_remaining | SMALLINT | DEFAULT 0 | Unused backup codes count |
| lockout_until | TIMESTAMPTZ | NULLABLE | Lockout expiry |
| failed_attempts | SMALLINT | DEFAULT 0 | Current window failures |
| created_at | TIMESTAMPTZ | DEFAULT NOW() | |
| updated_at | TIMESTAMPTZ | DEFAULT NOW() |
| Column | Type | Constraints | Description |
|---|---|---|---|
| id | UUID | PK | |
| user_id | BIGINT | UNIQUE, FK | |
| encrypted_secret | BYTEA | NOT NULL | AES-256-GCM encrypted TOTP secret |
| iv | BYTEA(16) | NOT NULL | Initialization vector |
| vault_key_version | SMALLINT | NOT NULL | Vault transit key version used |
| algorithm | VARCHAR(10) | DEFAULT 'sha1' | HMAC algorithm |
| digits | SMALLINT | DEFAULT 6 | |
| period | SMALLINT | DEFAULT 30 | Seconds per step |
| verified | BOOLEAN | DEFAULT false | User confirmed code works |
| created_at | TIMESTAMPTZ | DEFAULT NOW() |
| Column | Type | Constraints | Description |
|---|---|---|---|
| id | UUID | PK | |
| user_id | BIGINT | FK, INDEX | |
| credential_id | BYTEA | UNIQUE, NOT NULL | WebAuthn credential ID (base64url) |
| public_key | BYTEA | NOT NULL | COSE public key (CBOR-encoded) |
| sign_count | BIGINT | DEFAULT 0, NOT NULL | Signature counter (clone detection) |
| transports | VARCHAR[] | ['internal','hybrid','ble','usb','nfc'] | |
| device_name | VARCHAR(100) | User-friendly name (e.g. "iPhone 15 Pro") | |
| last_used_at | TIMESTAMPTZ | Last successful authentication | |
| aaguid | UUID | Authenticator attestation GUID (identifies make/model) | |
| backup_eligible | BOOLEAN | DEFAULT false | BE flag โ credential CAN be backed up (multi-device) |
| backup_state | BOOLEAN | DEFAULT false | BS flag โ credential IS currently backed up/synced |
| device_type | VARCHAR(32) | 'singleDevice' or 'multiDevice' (derived from BE) | |
| credential_type | VARCHAR(20) | DEFAULT 'passkey' | 'passkey' (discoverable) or 'security-key' |
| created_at | TIMESTAMPTZ | DEFAULT NOW() |
-- Indexes
CREATE INDEX idx_webauthn_user ON webauthn_credentials(user_id);
CREATE UNIQUE INDEX idx_webauthn_cred ON webauthn_credentials(credential_id);
CREATE INDEX idx_webauthn_aaguid ON webauthn_credentials(aaguid);
-- Max 10 passkeys per user (enforced at app level, checked on insert)
-- Soft constraint: credential_type = 'passkey' โ backup_eligible = true typically| Column | Type | Constraints | Description |
|---|---|---|---|
| id | UUID | PK | |
| user_id | BIGINT | FK, INDEX | |
| code_hash | VARCHAR(60) | NOT NULL | bcrypt hash of backup code |
| used | BOOLEAN | DEFAULT false | |
| used_at | TIMESTAMPTZ | ||
| created_at | TIMESTAMPTZ | DEFAULT NOW() |
| Column | Type | Constraints | Description |
|---|---|---|---|
| id | UUID | PK | |
| user_id | BIGINT | INDEX | |
| action | VARCHAR(50) | NOT NULL, INDEX | e.g. totp_setup, webauthn_auth_success |
| ip_address | INET | ||
| user_agent | TEXT | ||
| device_fingerprint | VARCHAR(64) | SHA-256 device ID | |
| metadata | JSONB | Extra event data | |
| created_at | TIMESTAMPTZ | DEFAULT NOW(), INDEX | Immutable, append-only |
Partition by month. Retention: 7 years (regulatory). Table is INSERT-only (no UPDATE/DELETE grants).
| Method | Endpoint | Description | Auth | Rate Limit |
|---|---|---|---|---|
| POST | /api/v1/2fa/totp/setup | Generate TOTP secret + QR URI | Bearer | 3/hour |
| POST | /api/v1/2fa/totp/verify | Verify code & enable TOTP | Bearer | 5/5min |
| POST | /api/v1/2fa/totp/validate | Validate code during login | Temp token | 5/5min |
| DELETE | /api/v1/2fa/totp | Disable TOTP (requires current code) | Bearer + 2FA | 2/hour |
| POST | /api/v1/2fa/passkey/register/options | Get passkey registration options (resident key) | Bearer | 3/hour |
| POST | /api/v1/2fa/passkey/register/verify | Verify & store passkey credential | Bearer | 5/5min |
| POST | /api/v1/2fa/passkey/authenticate/options | Get auth options (discoverable or allow-list) | Temp token / None | 5/5min |
| POST | /api/v1/2fa/passkey/authenticate/verify | Verify passkey assertion | Temp token / None | 5/5min |
| GET | /api/v1/2fa/passkey/credentials | List user's registered passkeys | Bearer | 30/min |
| DELETE | /api/v1/2fa/passkey/credentials/:id | Remove a passkey | Bearer + 2FA | 5/hour |
| POST | /api/v1/2fa/passkey/rename | Rename a passkey device name | Bearer | 10/hour |
| POST | /api/v1/2fa/backup-codes/generate | Generate 10 backup codes | Bearer + 2FA | 1/day |
| POST | /api/v1/2fa/backup-codes/verify | Use a backup code | Temp token | 3/15min |
| GET | /api/v1/2fa/status | Get user's 2FA configuration | Bearer | 30/min |
| POST | /api/v1/2fa/recovery | Initiate account recovery | Email token | 1/24hr |
Generates a new TOTP secret, encrypts via Vault, stores pending, and returns QR URI.
Headers:
Authorization: Bearer <accessToken>
Body: (empty){
"secret": "JBSWY3DPEHPK3PXP",
"qrUri": "otpauth://totp/eToro:user@email.com?secret=JBSWY3DPEHPK3PXP&issuer=eToro&algorithm=SHA1&digits=6&period=30",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}| Status | Code | Description |
|---|---|---|
| 409 | TOTP_ALREADY_ENABLED | User already has TOTP active |
| 429 | RATE_LIMIT_EXCEEDED | Too many setup attempts |
{
"code": "738204"
}{
"enabled": true,
"method": "totp",
"backupCodes": [
"A1B2-C3D4", "E5F6-G7H8",
"I9J0-K1L2", "M3N4-O5P6",
"Q7R8-S9T0", "U1V2-W3X4",
"Y5Z6-A7B8", "C9D0-E1F2",
"G3H4-I5J6", "K7L8-M9N0"
]
}Headers:
X-Temp-Token: <tempToken>
{
"code": "738204"
}{
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG...",
"expiresIn": 3600
}| Status | Code | Description |
|---|---|---|
| 401 | INVALID_TOTP_CODE | Code doesn't match |
| 401 | CODE_ALREADY_USED | Replay detected |
| 423 | ACCOUNT_LOCKED | Too many failed attempts |
| 429 | RATE_LIMIT_EXCEEDED | Throttled |
{
"code": "738204"
}{
"disabled": true,
"method": null
}Returns WebAuthn registration options with residentKey: "required" for discoverable credentials (passwordless-ready). Excludes already-registered credentials.
Headers:
Authorization: Bearer <accessToken>
Body: (empty){
"challenge": "dGVzdC1jaGFsbGVuZ2U...",
"rp": {
"name": "eToro",
"id": "etoro.com"
},
"user": {
"id": "MTIzNDU...",
"name": "user@email.com",
"displayName": "Yoni"
},
"pubKeyCredParams": [
{ "type": "public-key", "alg": -7 },
{ "type": "public-key", "alg": -257 }
],
"timeout": 120000,
"attestation": "none",
"authenticatorSelection": {
"residentKey": "required",
"requireResidentKey": true,
"userVerification": "preferred",
"authenticatorAttachment": "platform"
},
"excludeCredentials": [
{ "id": "existing-cred-base64url", "type": "public-key", "transports": ["internal"] }
]
}| Status | Code | Description |
|---|---|---|
| 409 | MAX_CREDENTIALS_REACHED | User already has 10 passkeys registered |
| 429 | RATE_LIMIT_EXCEEDED | Too many registration attempts |
{
"attestation": {
"id": "credential-id-base64url",
"rawId": "Y3JlZGVudGlhbC1pZA...",
"response": {
"clientDataJSON": "eyJ0eXBl...",
"attestationObject": "o2NmbXR...",
"transports": ["internal", "hybrid"]
},
"type": "public-key",
"clientExtensionResults": {
"credProps": {
"rk": true
}
},
"authenticatorAttachment": "platform"
},
"deviceName": "iPhone 15 Pro"
}{
"registered": true,
"credentialId": "credential-id-base64url",
"deviceName": "iPhone 15 Pro",
"deviceType": "multiDevice",
"backupEligible": true,
"backupState": true,
"transports": ["internal", "hybrid"]
}Server-side: Stores credential_id, public_key, sign_count=0, transports, aaguid, backup_eligible (BE flag from authenticatorData), backup_state (BS flag). If this is user's first passkey, also generates backup codes.
For standard 2FA: pass tempToken and get allowCredentials with user's registered passkeys. For passwordless/discoverable: omit tempToken and send empty allowCredentials.
Headers:
X-Temp-Token: <tempToken>
Body: (empty)Headers: (none)
Body: (empty)
// Returns empty allowCredentials
// for discoverable credential flow{
"challenge": "YXV0aC1jaGFsbGVuZ2U...",
"allowCredentials": [
{
"id": "cred-1-base64url",
"type": "public-key",
"transports": ["internal", "hybrid"]
},
{
"id": "cred-2-base64url",
"type": "public-key",
"transports": ["usb"]
}
],
"timeout": 120000,
"userVerification": "preferred",
"rpId": "etoro.com"
}{
"challenge": "cGFzc3dvcmRsZXNz...",
"allowCredentials": [],
"timeout": 120000,
"userVerification": "required",
"rpId": "etoro.com"
}{
"assertion": {
"id": "credential-id-base64url",
"rawId": "Y3JlZGVudGlhbC1pZA...",
"response": {
"clientDataJSON": "eyJ0eXBl...",
"authenticatorData": "SZYN5YgO...",
"signature": "MEUCIQC...",
"userHandle": "MTIzNDU..."
},
"type": "public-key",
"clientExtensionResults": {},
"authenticatorAttachment": "platform"
}
}{
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG...",
"expiresIn": 3600,
"credentialUsed": {
"id": "credential-id-base64url",
"deviceName": "iPhone 15 Pro"
}
}Server-side: Verifies signature, checks sign_count (must be > stored value or alert clone), updates last_used_at and sign_count. For passwordless: resolves user from userHandle in assertion.
{
"credentials": [
{
"id": "cred-id-1",
"deviceName": "iPhone 15 Pro",
"deviceType": "multiDevice",
"backupEligible": true,
"backupState": true,
"transports": ["internal", "hybrid"],
"lastUsed": "2026-02-22T10:30:00Z",
"createdAt": "2026-01-15T09:00:00Z"
},
{
"id": "cred-id-2",
"deviceName": "YubiKey 5",
"deviceType": "singleDevice",
"backupEligible": false,
"backupState": false,
"transports": ["usb", "nfc"],
"lastUsed": "2026-02-20T14:00:00Z",
"createdAt": "2026-02-01T11:00:00Z"
}
],
"maxCredentials": 10
}DELETE /api/v1/2fa/passkey/credentials/cred-id-2
Headers:
Authorization: Bearer <accessToken>
X-2FA-Code: 738204 // Current TOTP or backup code{
"deleted": true,
"credentialId": "cred-id-2",
"remainingCredentials": 1
}| Status | Code | Description |
|---|---|---|
| 400 | CANNOT_DELETE_LAST_METHOD | Cannot delete last passkey if it's the only 2FA method |
| 404 | CREDENTIAL_NOT_FOUND | Credential ID not found for this user |
{
"credentialId": "cred-id-1",
"deviceName": "Work Phone"
}{
"credentialId": "cred-id-1",
"deviceName": "Work Phone",
"updated": true
}Headers:
Authorization: Bearer <accessToken>
{ "currentCode": "738204" }{
"codes": [
"A1B2-C3D4", "E5F6-G7H8",
"I9J0-K1L2", "M3N4-O5P6",
"Q7R8-S9T0", "U1V2-W3X4",
"Y5Z6-A7B8", "C9D0-E1F2",
"G3H4-I5J6", "K7L8-M9N0"
],
"warning": "Store these codes securely. Previous codes are now invalid."
}{
"code": "A1B2-C3D4"
}{
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG...",
"codesRemaining": 9,
"warning": "You have 9 backup codes remaining"
}{
"enabled": true,
"primaryMethod": "totp",
"totp": { "enabled": true, "configuredAt": "2026-02-22T14:00:00Z" },
"webauthn": {
"enabled": true,
"credentials": [
{
"id": "cred-id-1",
"deviceName": "iPhone 15 Pro",
"lastUsed": "2026-02-22T10:00:00Z",
"createdAt": "2026-01-15T09:00:00Z",
"backedUp": true
}
]
},
"backupCodes": { "remaining": 8, "generatedAt": "2026-02-22T14:00:00Z" },
"recovery": { "email": "y***@etoro.com", "phone": "+972***1010" }
}{
"email": "user@email.com",
"identityProof": "base64-encoded-id-photo",
"reason": "lost_device"
}{
"recoveryId": "rec-uuid-123",
"status": "pending_review",
"estimatedTime": "24-48 hours",
"message": "Recovery request submitted. You'll receive an email with next steps."
}Recovery requires manual review by security team. User must verify identity via email link + ID document.
As a registered eToro user, I want to set up TOTP-based 2FA, so that my account has an additional layer of security.
As a user with TOTP enabled, I want to enter my authenticator code after password, so that my login is protected.
As a user, I want to register my device's biometric as a passkey, so that I can log in without typing codes.
As a user with registered passkeys, I want to authenticate using biometrics, so that login is fast and phishing-proof.
As a user with a discoverable passkey, I want to sign in without entering my username or password, so that login is instant.
As a user with registered passkeys, I want to view, rename, and delete my passkeys, so that I can manage my devices.
As a user logging in on a device without my passkey, I want to use my phone as an authenticator via QR code, so that I can securely log in anywhere.
As a user currently using SMS or TOTP, I want to be prompted to upgrade to Passkey, so that I benefit from better security and UX.
As a user who lost access to their authenticator, I want to use a backup code, so that I can still log in.
As a user, I want to disable 2FA, so that I can simplify my login if needed.
As a user who lost all 2FA methods, I want to recover my account, so that I'm not permanently locked out.
| HTTP | Error Code | Message | Action |
|---|---|---|---|
| 400 | INVALID_INPUT | Validation failed | Return field errors |
| 401 | INVALID_TOTP_CODE | Invalid verification code | Increment failure counter |
| 401 | CODE_ALREADY_USED | Code was already used | Log replay attempt |
| 401 | INVALID_BACKUP_CODE | Backup code invalid | Increment failure counter |
| 401 | WEBAUTHN_VERIFICATION_FAILED | Passkey verification failed | Log failure |
| 403 | 2FA_REQUIRED | Two-factor auth required | Redirect to 2FA prompt |
| 409 | TOTP_ALREADY_ENABLED | TOTP is already active | โ |
| 409 | MAX_CREDENTIALS_REACHED | Maximum 5 passkeys | โ |
| 423 | ACCOUNT_LOCKED | Account locked due to failed attempts | Email alert sent |
| 429 | RATE_LIMIT_EXCEEDED | Too many attempts | Return retryAfter header |
| 500 | ENCRYPTION_ERROR | Internal security error | Alert engineering + PagerDuty |
| Package | Version | Purpose |
|---|---|---|
otplib | ^12.0 | TOTP generation & verification |
@simplewebauthn/server | ^10.0 | WebAuthn server operations |
@nestjs/throttler | ^5.0 | Rate limiting |
qrcode | ^1.5 | QR code generation (optional, client-side) |
node:crypto | built-in | Random bytes, timing-safe compare |
bcrypt | ^5.1 | Backup code hashing |
| Service | Purpose |
|---|---|
| PostgreSQL 15+ | Persistent storage |
| Redis 7+ | Rate limiting, challenge cache |
| HashiCorp Vault | Transit encryption of TOTP secrets |
| Datadog | Monitoring & alerting |