feat(auth): admin-issued café recovery key login

Platform admins can generate a permanent recovery key per café (admin panel → Cafés). The café Owner uses it to sign in when OTP access is lost; once authenticated, all server-side data syncs as normal (data is per-café on the server, the device only caches it). Backend: - Cafe.RecoveryKeyHash (SHA-256, unique index) + RecoveryKeyCreatedAt; migration - RecoveryKeyGenerator util: MZ-XXXXX-XXXXX-XXXXX-XXXXX, ~190-bit entropy, stored as SHA-256 (API-token pattern — raw key shown once, never retrievable) - Admin: POST/DELETE /api/admin/cafes/{id}/recovery-key (key returned once); café list now reports HasRecoveryKey + RecoveryKeyCreatedAt - Login: POST /api/auth/login-key → exact-hash lookup → resolves café Owner → issues normal JWT; rate-limited (auth-otp), suspended/no-owner guarded, logged Admin UI: per-café generate / regenerate / revoke with one-time reveal + copy. Dashboard login: discreet "ورود با کلید بازیابی" link → key field. fa/en/ar. 86 tests pass; all tsc clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 15:10:11 +03:30
parent 76d4434581
commit a855cf1d80
19 changed files with 3871 additions and 10 deletions
@@ -134,6 +134,10 @@ public class AppDbContext : DbContext
        {
            e.HasKey(x => x.Id);
            e.HasIndex(x => x.Slug).IsUnique();
+            // Recovery-key login looks up the café by exact hash; Postgres treats
+            // NULLs as distinct so many cafés without a key coexist fine.
+            e.HasIndex(x => x.RecoveryKeyHash).IsUnique();
+            e.Property(x => x.RecoveryKeyHash).HasMaxLength(64);
            e.Property(x => x.Name).HasMaxLength(200).IsRequired();
            e.Property(x => x.Slug).HasMaxLength(100).IsRequired();
            e.Property(x => x.SnappfoodVendorId).HasMaxLength(100);
@@ -0,0 +1,50 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Meezi.Infrastructure.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddCafeRecoveryKey : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<DateTime>(
+                name: "RecoveryKeyCreatedAt",
+                table: "Cafes",
+                type: "timestamp with time zone",
+                nullable: true);
+
+            migrationBuilder.AddColumn<string>(
+                name: "RecoveryKeyHash",
+                table: "Cafes",
+                type: "character varying(64)",
+                maxLength: 64,
+                nullable: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Cafes_RecoveryKeyHash",
+                table: "Cafes",
+                column: "RecoveryKeyHash",
+                unique: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropIndex(
+                name: "IX_Cafes_RecoveryKeyHash",
+                table: "Cafes");
+
+            migrationBuilder.DropColumn(
+                name: "RecoveryKeyCreatedAt",
+                table: "Cafes");
+
+            migrationBuilder.DropColumn(
+                name: "RecoveryKeyHash",
+                table: "Cafes");
+        }
+    }
+}
@@ -360,6 +360,13 @@ namespace Meezi.Infrastructure.Data.Migrations
                        .IsRequired()
                        .HasColumnType("text");

+                    b.Property<DateTime?>("RecoveryKeyCreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("RecoveryKeyHash")
+                        .HasMaxLength(64)
+                        .HasColumnType("character varying(64)");
+
                    b.Property<bool>("ShowOnKoja")
                        .ValueGeneratedOnAdd()
                        .HasColumnType("boolean")
@@ -396,6 +403,9 @@ namespace Meezi.Infrastructure.Data.Migrations

                    b.HasKey("Id");

+                    b.HasIndex("RecoveryKeyHash")
+                        .IsUnique();
+
                    b.HasIndex("Slug")
                        .IsUnique();