Address PR #813 bot review comments

Chris0Jeky · Chris0Jeky · commit 192c51d198a4 · 2026-04-12T01:23:47.000+01:00
- MfaService: Store null instead of "EXHAUSTED" sentinel when recovery codes are exhausted
- MfaCredential.SetRecoveryCodes: Allow null/empty to clear codes (was throwing on empty)
- MfaCredential.Revoke(): Fix doc comment - clarify secret is preserved for audit trail
- AuthenticationRegistration: Add SignInScheme cookie for OAuth/OIDC external auth flow
- LoginView: Move type import before executable statements
- MfaSetup: Fix misleading "scan QR code" copy when no QR is rendered
diff --git a/backend/src/Taskdeck.Api/Extensions/AuthenticationRegistration.cs b/backend/src/Taskdeck.Api/Extensions/AuthenticationRegistration.cs
@@ -1,6 +1,7 @@
 using System.Security.Claims;
 using System.Text;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authentication.OAuth.Claims;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
@@ -14,6 +15,10 @@ namespace Taskdeck.Api.Extensions;
 
 public static class AuthenticationRegistration
 {
+    /// <summary>
+    /// Cookie scheme used for temporary external auth state (OAuth/OIDC handshake).
+    /// </summary>
+    public const string ExternalAuthenticationScheme = "External";
     public static IServiceCollection AddTaskdeckAuthentication(
         this IServiceCollection services,
         JwtSettings jwtSettings,
@@ -28,7 +33,21 @@ public static IServiceCollection AddTaskdeckAuthentication(
             return services;
         }
 
-        var authBuilder = services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+        var authBuilder = services.AddAuthentication(options =>
+            {
+                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+                options.DefaultSignInScheme = ExternalAuthenticationScheme;
+            })
+            .AddCookie(ExternalAuthenticationScheme, options =>
+            {
+                options.Cookie.Name = ".Taskdeck.ExternalAuth";
+                options.Cookie.HttpOnly = true;
+                options.Cookie.SameSite = SameSiteMode.Lax;
+                options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+                options.ExpireTimeSpan = TimeSpan.FromMinutes(5);
+                options.SlidingExpiration = false;
+            })
             .AddJwtBearer(options =>
             {
                 options.TokenValidationParameters = new TokenValidationParameters
@@ -92,6 +111,7 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
         {
             authBuilder.AddOAuth("GitHub", options =>
             {
+                options.SignInScheme = ExternalAuthenticationScheme;
                 options.ClientId = gitHubOAuthSettings.ClientId;
                 options.ClientSecret = gitHubOAuthSettings.ClientSecret;
                 options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize";
@@ -127,6 +147,7 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
 
                 authBuilder.AddOpenIdConnect(schemeName, provider.DisplayName, options =>
                 {
+                    options.SignInScheme = ExternalAuthenticationScheme;
                     options.Authority = provider.Authority;
                     options.ClientId = provider.ClientId;
                     options.ClientSecret = provider.ClientSecret;
diff --git a/backend/src/Taskdeck.Application/Services/MfaService.cs b/backend/src/Taskdeck.Application/Services/MfaService.cs
@@ -290,7 +290,7 @@ private bool TryUseRecoveryCode(MfaCredential credential, string code)
             hashedCodes.RemoveAt(i);
             credential.SetRecoveryCodes(hashedCodes.Count > 0
                 ? string.Join(",", hashedCodes)
-                : "EXHAUSTED"); // Sentinel value when all recovery codes are used
+                : null); // Clear recovery codes when all are exhausted
             return true;
         }
 
diff --git a/backend/src/Taskdeck.Domain/Entities/MfaCredential.cs b/backend/src/Taskdeck.Domain/Entities/MfaCredential.cs
@@ -69,19 +69,18 @@ public void Confirm()
 
     /// <summary>
     /// Sets the hashed recovery codes for this credential.
+    /// Pass null or empty to clear all recovery codes (e.g., when exhausted).
     /// </summary>
-    public void SetRecoveryCodes(string hashedRecoveryCodes)
+    public void SetRecoveryCodes(string? hashedRecoveryCodes)
     {
-        if (string.IsNullOrWhiteSpace(hashedRecoveryCodes))
-            throw new DomainException(ErrorCodes.ValidationError, "Recovery codes cannot be empty");
-
-        RecoveryCodes = hashedRecoveryCodes;
+        RecoveryCodes = string.IsNullOrWhiteSpace(hashedRecoveryCodes) ? null : hashedRecoveryCodes;
         Touch();
     }
 
     /// <summary>
-    /// Revokes this MFA credential by clearing the secret and marking as unconfirmed.
-    /// The entity remains for audit trail purposes.
+    /// Revokes this MFA credential by marking as unconfirmed.
+    /// Note: The secret is intentionally preserved for audit trail purposes;
+    /// full deletion should use repository deletion instead.
     /// </summary>
     public void Revoke()
     {
diff --git a/frontend/taskdeck-web/src/components/MfaSetup.vue b/frontend/taskdeck-web/src/components/MfaSetup.vue
@@ -107,12 +107,12 @@ onMounted(loadStatus)
     <!-- Setup in progress -->
     <div v-else-if="setupResponse" class="td-mfa-setup__wizard">
       <p class="td-mfa-setup__step">
-        1. Scan the QR code below with your authenticator app (Google Authenticator, Authy, etc.)
+        1. Add this secret to your authenticator app (Google Authenticator, Authy, etc.)
       </p>
-      <div class="td-mfa-setup__qr">
+      <div class="td-mfa-setup__secret-container">
         <code class="td-mfa-setup__secret">{{ setupResponse.sharedSecret }}</code>
         <p class="td-mfa-setup__hint">
-          Or manually enter this secret in your authenticator app.
+          Copy and paste this secret into your authenticator app.
         </p>
       </div>
 
@@ -256,7 +256,7 @@ onMounted(loadStatus)
   font-size: var(--td-font-sm);
 }
 
-.td-mfa-setup__qr {
+.td-mfa-setup__secret-container {
   background: var(--td-surface-container);
   padding: var(--td-space-4);
   border-radius: var(--td-radius-md);
diff --git a/frontend/taskdeck-web/src/views/LoginView.vue b/frontend/taskdeck-web/src/views/LoginView.vue
@@ -1,4 +1,5 @@
 <script setup lang="ts">
+import type { OidcProviderInfo } from '../types/auth'
 import { ref, onMounted } from 'vue'
 import { useRouter, useRoute } from 'vue-router'
 import { useSessionStore } from '../store/sessionStore'
@@ -10,8 +11,6 @@ const router = useRouter()
 const route = useRoute()
 const session = useSessionStore()
 
-import type { OidcProviderInfo } from '../types/auth'
-
 const username = ref('')
 const password = ref('')
 const formError = ref<string | null>(null)

Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,7 @@ private bool TryUseRecoveryCode(MfaCredential credential, string code)`
`290`	`290`	`hashedCodes.RemoveAt(i);`
`291`	`291`	`credential.SetRecoveryCodes(hashedCodes.Count > 0`
`292`	`292`	`? string.Join(",", hashedCodes)`
`293`		`- : "EXHAUSTED"); // Sentinel value when all recovery codes are used`
	`293`	`+ : null); // Clear recovery codes when all are exhausted`
`294`	`294`	`return true;`
`295`	`295`	`}`
`296`	`296`