"use client"; import * as React from "react"; import Image from "next/image"; import { ShieldCheck, ShieldOff, Copy } from "lucide-react"; import { Checkbox } from "@/components/ui/checkbox"; import { Button } from "@/components/ui/button"; import { Label } from "@/components/ui/label"; import { Input } from "@/components/ui/input"; import { InputOTP, InputOTPGroup, InputOTPSlot, } from "@/components/ui/input-otp"; import { useGetTwoFactorStatusQuery, useGenerateTwoFactorSecretMutation, useEnableTwoFactorMutation, useDisableTwoFactorMutation, } from "@/api/rtk/auth-api"; import { useAuthToken } from "@/hooks/use-auth-token"; import { Card, CardHeader } from "@/components/settings/ui"; import { toast } from "sonner"; import { copyTextToClipboard } from "@/lib/clipboard-write"; /** Groups base32 TOTP secret as XXXX-XXXX-… for manual entry (raw secret unchanged for API). */ function formatTotpSecretForDisplay(secret: string): string { const cleaned = secret.replace(/[^A-Za-z2-7]/gi, "").toUpperCase(); if (!cleaned) return secret.trim(); return cleaned.match(/.{1,4}/g)?.join("-") ?? cleaned; } export function AdminTwoFactorCard() { const { token } = useAuthToken(); const { data: status, isLoading: statusLoading } = useGetTwoFactorStatusQuery( undefined, { skip: !token }, ); const [generateSecret, { isLoading: generating }] = useGenerateTwoFactorSecretMutation(); const [enable2fa, { isLoading: enabling }] = useEnableTwoFactorMutation(); const [disable2fa, { isLoading: disabling }] = useDisableTwoFactorMutation(); const [wantsSetup, setWantsSetup] = React.useState(false); const [pendingSecret, setPendingSecret] = React.useState(null); const [qrDataUrl, setQrDataUrl] = React.useState(null); const [verifyCode, setVerifyCode] = React.useState(""); const [disableCode, setDisableCode] = React.useState(""); const [showDisable, setShowDisable] = React.useState(false); /** Shown once after enable — same values as DB / email (not the TOTP secret). */ const [pendingRecovery, setPendingRecovery] = React.useState<{ codes: string[]; keys: string[]; } | null>(null); React.useEffect(() => { if (status?.twoFactorEnabled) { setWantsSetup(false); setPendingSecret(null); setQrDataUrl(null); setVerifyCode(""); } }, [status?.twoFactorEnabled]); const startSetup = async () => { try { const res = await generateSecret({ method: "app" }).unwrap(); setPendingSecret(res.secret); setQrDataUrl(res.qrCodeDataUrl || null); setVerifyCode(""); } catch { toast.error("Could not start authenticator setup. Try again."); } }; const handleWantsSetupChange = (checked: boolean) => { setWantsSetup(checked); if (checked) { void startSetup(); } else { setPendingSecret(null); setQrDataUrl(null); setVerifyCode(""); } }; const handleEnable = async () => { if (!pendingSecret || verifyCode.trim().length !== 6) { toast.error("Enter the 6-digit code from your authenticator app."); return; } try { const data = await enable2fa({ secret: pendingSecret, token: verifyCode.trim(), method: "app", }).unwrap(); setPendingRecovery({ codes: data.backupCodes ?? [], keys: data.backupKeys ?? [], }); toast.success("2FA is on. Save the recovery codes below — they also went to your email."); setWantsSetup(false); setPendingSecret(null); setQrDataUrl(null); setVerifyCode(""); } catch { toast.error("Invalid code or setup failed. Try again."); } }; const handleDisable = async () => { if (disableCode.trim().length !== 6) { toast.error("Enter your current authenticator code to turn off 2FA."); return; } try { await disable2fa({ token: disableCode.trim() }).unwrap(); toast.success("Two-factor authentication has been disabled."); setShowDisable(false); setDisableCode(""); } catch { toast.error("Invalid code. Two-factor authentication is still enabled."); } }; if (statusLoading || !status) { return ( ); } return (
{status.twoFactorEnabled ? (
{pendingRecovery && (pendingRecovery.codes.length > 0 || pendingRecovery.keys.length > 0) && (

Save these one-time login recovery codes

Use them only on the login screen under "Backup code / key" if you lose your phone. They are not the same as the authenticator secret (QR / manual key) — that secret only goes in your app.

{pendingRecovery.codes.length > 0 && (

Short codes (3 blocks each, e.g. XXXX-XXXX-XXXX)

    {pendingRecovery.codes.map((c, i) => (
  • {c}
    • ))}
)} {pendingRecovery.keys.length > 0 && (

Long keys (6 blocks each)

    {pendingRecovery.keys.map((k, i) => (
  • {k}
    • ))}
)}
)}

Authenticator app enabled

Method: {status.twoFactorMethod ?? "app"}. You will enter a 6-digit code after your password at login.

{!showDisable ? ( ) : (
setDisableCode(v.replace(/\D/g, ""))} >
)}
) : (
handleWantsSetupChange(c === true)} disabled={generating} className="mt-0.5 border-gray-300 data-[state=checked]:bg-[#6C63FF] data-[state=checked]:border-[#6C63FF]" />

Scan the QR code with Google Authenticator, Authy, or another TOTP app, then confirm with a 6-digit code.

{wantsSetup && pendingSecret && (
{qrDataUrl ? (
QR code for authenticator setup

Scan this QR code, or enter the secret manually in your app.

) : null}

Dashes are only for readability. Your app accepts the same key with or without them. This is not a backup login code — recovery codes appear only after you confirm below (and in your email).

setVerifyCode(v.replace(/\D/g, ""))} >
)}
)}
); }