feat:

* integrated totp
2023-09-06 11:26:22 +05:30
parent 9fda8c01f5
commit bbb1cf6301
17 changed files with 858 additions and 63 deletions
--- a/server/graph/generated/generated.go
+++ b/server/graph/generated/generated.go
@@ -45,15 +45,18 @@ type DirectiveRoot struct {

 type ComplexityRoot struct {
 	AuthResponse struct {
-		AccessToken               func(childComplexity int) int
-		ExpiresIn                 func(childComplexity int) int
-		IDToken                   func(childComplexity int) int
-		Message                   func(childComplexity int) int
-		RefreshToken              func(childComplexity int) int
-		ShouldShowEmailOtpScreen  func(childComplexity int) int
-		ShouldShowMobileOtpScreen func(childComplexity int) int
-		TotpBase64url             func(childComplexity int) int
-		User                      func(childComplexity int) int
+		AccessToken                func(childComplexity int) int
+		ExpiresIn                  func(childComplexity int) int
+		IDToken                    func(childComplexity int) int
+		Message                    func(childComplexity int) int
+		RefreshToken               func(childComplexity int) int
+		ShouldShowEmailOtpScreen   func(childComplexity int) int
+		ShouldShowMobileOtpScreen  func(childComplexity int) int
+		ShouldShowMobileTotpScreen func(childComplexity int) int
+		ShouldShowTotpScreen       func(childComplexity int) int
+		TokenTotp                  func(childComplexity int) int
+		TotpBase64url              func(childComplexity int) int
+		User                       func(childComplexity int) int
 	}

 	EmailTemplate struct {
@@ -204,6 +207,7 @@ type ComplexityRoot struct {
 		UpdateWebhook       func(childComplexity int, params model.UpdateWebhookRequest) int
 		VerifyEmail         func(childComplexity int, params model.VerifyEmailInput) int
 		VerifyOtp           func(childComplexity int, params model.VerifyOTPRequest) int
+		VerifyTotp          func(childComplexity int, params model.VerifyTOTPRequest) int
 	}

 	Pagination struct {
@@ -350,6 +354,7 @@ type MutationResolver interface {
 	Revoke(ctx context.Context, params model.OAuthRevokeInput) (*model.Response, error)
 	VerifyOtp(ctx context.Context, params model.VerifyOTPRequest) (*model.AuthResponse, error)
 	ResendOtp(ctx context.Context, params model.ResendOTPRequest) (*model.Response, error)
+	VerifyTotp(ctx context.Context, params model.VerifyTOTPRequest) (*model.AuthResponse, error)
 	DeleteUser(ctx context.Context, params model.DeleteUserInput) (*model.Response, error)
 	UpdateUser(ctx context.Context, params model.UpdateUserInput) (*model.User, error)
 	AdminSignup(ctx context.Context, params model.AdminSignupInput) (*model.Response, error)
@@ -449,6 +454,27 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in

 		return e.complexity.AuthResponse.ShouldShowMobileOtpScreen(childComplexity), true

+	case "AuthResponse.should_show_mobile_totp_screen":
+		if e.complexity.AuthResponse.ShouldShowMobileTotpScreen == nil {
+			break
+		}
+
+		return e.complexity.AuthResponse.ShouldShowMobileTotpScreen(childComplexity), true
+
+	case "AuthResponse.should_show_totp_screen":
+		if e.complexity.AuthResponse.ShouldShowTotpScreen == nil {
+			break
+		}
+
+		return e.complexity.AuthResponse.ShouldShowTotpScreen(childComplexity), true
+
+	case "AuthResponse.tokenTOTP":
+		if e.complexity.AuthResponse.TokenTotp == nil {
+			break
+		}
+
+		return e.complexity.AuthResponse.TokenTotp(childComplexity), true
+
 	case "AuthResponse.totpBase64URL":
 		if e.complexity.AuthResponse.TotpBase64url == nil {
 			break
@@ -1490,6 +1516,18 @@ func (e *executableSchema) Complexity(typeName, field string, childComplexity in

 		return e.complexity.Mutation.VerifyOtp(childComplexity, args["params"].(model.VerifyOTPRequest)), true

+	case "Mutation.verify_totp":
+		if e.complexity.Mutation.VerifyTotp == nil {
+			break
+		}
+
+		args, err := ec.field_Mutation_verify_totp_args(context.TODO(), rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Mutation.VerifyTotp(childComplexity, args["params"].(model.VerifyTOTPRequest)), true
+
 	case "Pagination.limit":
 		if e.complexity.Pagination.Limit == nil {
 			break
@@ -2163,6 +2201,7 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputValidateSessionInput,
 		ec.unmarshalInputVerifyEmailInput,
 		ec.unmarshalInputVerifyOTPRequest,
+		ec.unmarshalInputVerifyTOTPRequest,
 		ec.unmarshalInputWebhookRequest,
 	)
 	first := true
@@ -2320,12 +2359,15 @@ type AuthResponse {
  message: String!
  should_show_email_otp_screen: Boolean
  should_show_mobile_otp_screen: Boolean
+  should_show_mobile_totp_screen: Boolean
+  should_show_totp_screen: Boolean
  access_token: String
  id_token: String
  refresh_token: String
  expires_in: Int64
  user: User
  totpBase64URL: String
+  tokenTOTP: String
 }

 type Response {
@@ -2789,6 +2831,12 @@ input VerifyOTPRequest {
  state: String
 }

+input VerifyTOTPRequest {
+  otp: String!
+  token: String!
+  state: String
+}
+
 input ResendOTPRequest {
  email: String
  phone_number: String
@@ -2818,6 +2866,7 @@ type Mutation {
  revoke(params: OAuthRevokeInput!): Response!
  verify_otp(params: VerifyOTPRequest!): AuthResponse!
  resend_otp(params: ResendOTPRequest!): Response!
+  verify_totp(params: VerifyTOTPRequest!): AuthResponse!
  # admin only apis
  _delete_user(params: DeleteUserInput!): Response!
  _update_user(params: UpdateUserInput!): User!
@@ -3298,6 +3347,21 @@ func (ec *executionContext) field_Mutation_verify_otp_args(ctx context.Context,
 	return args, nil
 }

+func (ec *executionContext) field_Mutation_verify_totp_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
+	var err error
+	args := map[string]interface{}{}
+	var arg0 model.VerifyTOTPRequest
+	if tmp, ok := rawArgs["params"]; ok {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+		arg0, err = ec.unmarshalNVerifyTOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐVerifyTOTPRequest(ctx, tmp)
+		if err != nil {
+			return nil, err
+		}
+	}
+	args["params"] = arg0
+	return args, nil
+}
+
 func (ec *executionContext) field_Query___type_args(ctx context.Context, rawArgs map[string]interface{}) (map[string]interface{}, error) {
 	var err error
 	args := map[string]interface{}{}
@@ -3627,6 +3691,88 @@ func (ec *executionContext) fieldContext_AuthResponse_should_show_mobile_otp_scr
 	return fc, nil
 }

+func (ec *executionContext) _AuthResponse_should_show_mobile_totp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ShouldShowMobileTotpScreen, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*bool)
+	fc.Result = res
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AuthResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _AuthResponse_should_show_totp_screen(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ShouldShowTotpScreen, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*bool)
+	fc.Result = res
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AuthResponse_should_show_totp_screen(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AuthResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _AuthResponse_access_token(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_AuthResponse_access_token(ctx, field)
 	if err != nil {
@@ -3915,6 +4061,47 @@ func (ec *executionContext) fieldContext_AuthResponse_totpBase64URL(ctx context.
 	return fc, nil
 }

+func (ec *executionContext) _AuthResponse_tokenTOTP(ctx context.Context, field graphql.CollectedField, obj *model.AuthResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.TokenTotp, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*string)
+	fc.Result = res
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AuthResponse_tokenTOTP(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AuthResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_EmailTemplate_id(ctx, field)
 	if err != nil {
@@ -8049,6 +8236,10 @@ func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, fi
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -8061,6 +8252,8 @@ func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, fi
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -8124,6 +8317,10 @@ func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Cont
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -8136,6 +8333,8 @@ func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Cont
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -8199,6 +8398,10 @@ func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, fie
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -8211,6 +8414,8 @@ func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, fie
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -8274,6 +8479,10 @@ func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Conte
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -8286,6 +8495,8 @@ func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Conte
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -8515,6 +8726,10 @@ func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Conte
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -8527,6 +8742,8 @@ func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Conte
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -8826,6 +9043,10 @@ func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -8838,6 +9059,8 @@ func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -8915,6 +9138,87 @@ func (ec *executionContext) fieldContext_Mutation_resend_otp(ctx context.Context
 	return fc, nil
 }

+func (ec *executionContext) _Mutation_verify_totp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_verify_totp(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (interface{}, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Mutation().VerifyTotp(rctx, fc.Args["params"].(model.VerifyTOTPRequest))
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.AuthResponse)
+	fc.Result = res
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Mutation_verify_totp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Mutation",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "totpBase64URL":
+				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_verify_totp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Mutation__delete_user(ctx, field)
 	if err != nil {
@@ -10250,6 +10554,10 @@ func (ec *executionContext) fieldContext_Query_session(ctx context.Context, fiel
 				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_mobile_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_totp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
 			case "access_token":
 				return ec.fieldContext_AuthResponse_access_token(ctx, field)
 			case "id_token":
@@ -10262,6 +10570,8 @@ func (ec *executionContext) fieldContext_Query_session(ctx context.Context, fiel
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "totpBase64URL":
 				return ec.fieldContext_AuthResponse_totpBase64URL(ctx, field)
+			case "tokenTOTP":
+				return ec.fieldContext_AuthResponse_tokenTOTP(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
@@ -18261,6 +18571,50 @@ func (ec *executionContext) unmarshalInputVerifyOTPRequest(ctx context.Context,
 	return it, nil
 }

+func (ec *executionContext) unmarshalInputVerifyTOTPRequest(ctx context.Context, obj interface{}) (model.VerifyTOTPRequest, error) {
+	var it model.VerifyTOTPRequest
+	asMap := map[string]interface{}{}
+	for k, v := range obj.(map[string]interface{}) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"otp", "token", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "otp":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
+			it.Otp, err = ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		case "token":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+			it.Token, err = ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		case "state":
+			var err error
+
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			it.State, err = ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+		}
+	}
+
+	return it, nil
+}
+
 func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, obj interface{}) (model.WebhookRequest, error) {
 	var it model.WebhookRequest
 	asMap := map[string]interface{}{}
@@ -18322,6 +18676,14 @@ func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.Selection

 			out.Values[i] = ec._AuthResponse_should_show_mobile_otp_screen(ctx, field, obj)

+		case "should_show_mobile_totp_screen":
+
+			out.Values[i] = ec._AuthResponse_should_show_mobile_totp_screen(ctx, field, obj)
+
+		case "should_show_totp_screen":
+
+			out.Values[i] = ec._AuthResponse_should_show_totp_screen(ctx, field, obj)
+
 		case "access_token":

 			out.Values[i] = ec._AuthResponse_access_token(ctx, field, obj)
@@ -18346,6 +18708,10 @@ func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.Selection

 			out.Values[i] = ec._AuthResponse_totpBase64URL(ctx, field, obj)

+		case "tokenTOTP":
+
+			out.Values[i] = ec._AuthResponse_tokenTOTP(ctx, field, obj)
+
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -19152,6 +19518,15 @@ func (ec *executionContext) _Mutation(ctx context.Context, sel ast.SelectionSet)
 				return ec._Mutation_resend_otp(ctx, field)
 			})

+			if out.Values[i] == graphql.Null {
+				invalids++
+			}
+		case "verify_totp":
+
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation_verify_totp(ctx, field)
+			})
+
 			if out.Values[i] == graphql.Null {
 				invalids++
 			}
@@ -21234,6 +21609,11 @@ func (ec *executionContext) unmarshalNVerifyOTPRequest2githubᚗcomᚋauthorizer
 	return res, graphql.ErrorOnPath(ctx, err)
 }

+func (ec *executionContext) unmarshalNVerifyTOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐVerifyTOTPRequest(ctx context.Context, v interface{}) (model.VerifyTOTPRequest, error) {
+	res, err := ec.unmarshalInputVerifyTOTPRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
 func (ec *executionContext) marshalNWebhook2githubᚗcomᚋauthorizerdevᚋauthorizerᚋserverᚋgraphᚋmodelᚐWebhook(ctx context.Context, sel ast.SelectionSet, v model.Webhook) graphql.Marshaler {
 	return ec._Webhook(ctx, sel, &v)
 }
--- a/server/graph/model/models_gen.go
+++ b/server/graph/model/models_gen.go
@@ -26,15 +26,18 @@ type AdminSignupInput struct {
 }

 type AuthResponse struct {
-	Message                   string  `json:"message"`
-	ShouldShowEmailOtpScreen  *bool   `json:"should_show_email_otp_screen"`
-	ShouldShowMobileOtpScreen *bool   `json:"should_show_mobile_otp_screen"`
-	AccessToken               *string `json:"access_token"`
-	IDToken                   *string `json:"id_token"`
-	RefreshToken              *string `json:"refresh_token"`
-	ExpiresIn                 *int64  `json:"expires_in"`
-	User                      *User   `json:"user"`
-	TotpBase64url             *string `json:"totpBase64URL"`
+	Message                    string  `json:"message"`
+	ShouldShowEmailOtpScreen   *bool   `json:"should_show_email_otp_screen"`
+	ShouldShowMobileOtpScreen  *bool   `json:"should_show_mobile_otp_screen"`
+	ShouldShowMobileTotpScreen *bool   `json:"should_show_mobile_totp_screen"`
+	ShouldShowTotpScreen       *bool   `json:"should_show_totp_screen"`
+	AccessToken                *string `json:"access_token"`
+	IDToken                    *string `json:"id_token"`
+	RefreshToken               *string `json:"refresh_token"`
+	ExpiresIn                  *int64  `json:"expires_in"`
+	User                       *User   `json:"user"`
+	TotpBase64url              *string `json:"totpBase64URL"`
+	TokenTotp                  *string `json:"tokenTOTP"`
 }

 type DeleteEmailTemplateRequest struct {
@@ -509,6 +512,12 @@ type VerifyOTPRequest struct {
 	State       *string `json:"state"`
 }

+type VerifyTOTPRequest struct {
+	Otp   string  `json:"otp"`
+	Token string  `json:"token"`
+	State *string `json:"state"`
+}
+
 type Webhook struct {
 	ID               string                 `json:"id"`
 	EventName        *string                `json:"event_name"`
--- a/server/graph/schema.graphqls
+++ b/server/graph/schema.graphqls
@@ -94,12 +94,15 @@ type AuthResponse {
  message: String!
  should_show_email_otp_screen: Boolean
  should_show_mobile_otp_screen: Boolean
+  should_show_mobile_totp_screen: Boolean
+  should_show_totp_screen: Boolean
  access_token: String
  id_token: String
  refresh_token: String
  expires_in: Int64
  user: User
  totpBase64URL: String
+  tokenTOTP: String
 }

 type Response {
@@ -563,6 +566,12 @@ input VerifyOTPRequest {
  state: String
 }

+input VerifyTOTPRequest {
+  otp: String!
+  token: String!
+  state: String
+}
+
 input ResendOTPRequest {
  email: String
  phone_number: String
@@ -592,6 +601,7 @@ type Mutation {
  revoke(params: OAuthRevokeInput!): Response!
  verify_otp(params: VerifyOTPRequest!): AuthResponse!
  resend_otp(params: ResendOTPRequest!): Response!
+  verify_totp(params: VerifyTOTPRequest!): AuthResponse!
  # admin only apis
  _delete_user(params: DeleteUserInput!): Response!
  _update_user(params: UpdateUserInput!): User!
--- a/server/graph/schema.resolvers.go
+++ b/server/graph/schema.resolvers.go
@@ -81,6 +81,11 @@ func (r *mutationResolver) ResendOtp(ctx context.Context, params model.ResendOTP
 	return resolvers.ResendOTPResolver(ctx, params)
 }

+// VerifyTotp is the resolver for the verify_totp field.
+func (r *mutationResolver) VerifyTotp(ctx context.Context, params model.VerifyTOTPRequest) (*model.AuthResponse, error) {
+	return resolvers.VerifyTotpResolver(ctx, params)
+}
+
 // DeleteUser is the resolver for the _delete_user field.
 func (r *mutationResolver) DeleteUser(ctx context.Context, params model.DeleteUserInput) (*model.Response, error) {
 	return resolvers.DeleteUserResolver(ctx, params)