🚨 2FA & Session - Critical Action Items (Immediate Focus)

Date: January 26, 2026
Status: 🔴 PRODUCTION BLOCKING
Target Resolution: Within 48 hours

🔥 TOP 3 CRITICAL FIXES (P0)

1. Fix 2FA Validation Logic Mismatches

Problem: Frontend sends placeholder values ("me", "FETCH_FROM_DB") that backend cannot process.

Required Actions:

• Backend: Modify ValidateEmailOtp to extract userdb from user claims (not route parameter)
• Backend: Modify ValidateTwoFactorCode to fetch GoogleUserKey from database (not request body)
• Frontend: Update twoFactorService.ts to use real user context, remove placeholders

Impact: Without this fix, 2FA validation will fail 100% of the time.

2. Secure Session Storage

Problem: Session tokens stored in sessionStorage - XSS vulnerability, violates spec.

Required Actions:

• Frontend: Replace sessionStorage.setItem("session_token", ...) with secure HTTP-only cookies
• Frontend: Update api.ts interceptor to read from new storage mechanism
• Testing: Verify tokens not accessible via JavaScript

Impact: Security vulnerability, potential session hijacking.

3. Add 401 Response Handling

Problem: Users get abrupt failures when sessions expire, no automatic redirect to login.

Required Actions:

• Frontend: Add axios response interceptor in api.ts to catch 401 responses
• Frontend: Implement redirect to login page with appropriate messaging
• Frontend: Clear invalid session tokens on 401 response

Impact: Poor user experience, appears as system failure.

⚡ QUICK WINS (Can be done today)

1. Update Session Service

Fix: Refactor sessionService.ts to use shared api instance instead of direct axios. Benefit: Consistent token injection, less code duplication. Effort: 1 hour

2. Improve Device Identification

Fix: Capture actual browser info in TakeoverModal instead of showing “Unknown”. Benefit: Users can identify their active sessions. Effort: 2 hours

3. Add OTP Countdown Timer

Fix: Visual 5-minute countdown for Email OTP validity. Benefit: Better user experience, reduces support calls. Effort: 2 hours

🧪 IMMEDIATE TESTING REQUIRED

Test 1: Email OTP Full Flow

1. Login with 2FA-enabled test user
2. Select Email OTP method
3. Check email for OTP code
4. Enter code in 2FA page
5. Verify successful login to dashboard

Test 2: Session Conflict

1. Login on Browser A (Chrome)
2. Attempt login on Browser B (Firefox)
3. Verify takeover modal shows correct device info
4. Confirm takeover, verify Browser A logged out

Test 3: 401 Handling

1. Login successfully
2. Manually delete session token from storage/cookie
3. Attempt API call (e.g., load members list)
4. Verify automatic redirect to login page

📍 CODE LOCATIONS FOR CRITICAL FIXES

Backend (C#)

• TwoFactorAuthController.cs:217 - ValidateEmailOtp method
• TwoFactorAuthController.cs:87 - ValidateTwoFactorCode method
• SessionController.cs:61 - GetUserContext method (dbname resolution)

Frontend (TypeScript)

• chsmobilenext/src/services/twoFactorService.ts:26,71 - Placeholder values
• chsmobilenext/src/app/login/page.tsx:70,87 - sessionStorage usage
• chsmobilenext/src/lib/api.ts:20-24 - Add 401 interceptor
• chsmobilenext/src/components/auth/TakeoverModal.tsx - Device info display

🎯 SUCCESS METRICS (Post-Fix)

• 2FA success rate > 95%
• Average 2FA completion time < 60 seconds
• Zero security incidents related to session storage
• Users can successfully identify active sessions in conflict modal

📞 ESCALATION CONTACTS

⏰ TIMELINE ESTIMATE

Recommended: Complete within 2 business days.

Document Reference: See detailed analysis in 2FA-Session-Handling-Action-Points.md Last Updated: January 26, 2026