feat: implement device login approval system

Add a complete device authentication approval flow that allows users to approve login requests from new devices on their already-authenticated devices. Core features: - Create authentication requests when logging in from new devices - Display pending requests with device info, IP address, and fingerprint phrases - Approve or deny requests from web interface with real-time notifications - Support multiple auth request types (authenticate & unlock, unlock only) - Automatic expiration and cleanup of stale requests Backend changes: - Add auth_requests table with proper indexes for efficient queries - Implement full CRUD API for authentication requests - Add notification hub integration for real-time updates - Add device fingerprint phrase generation for security verification Frontend changes: - Add AuthRequestApprovalDialog component for approving/denying requests - Add PendingAuthRequestsPanel component to display and manage pending requests - Integrate panels into Security and Settings pages - Add fingerprint wordlist for generating human-readable verification phrases - Update i18n translations for all supported languages Security considerations: - Access code verification to prevent unauthorized access - Device fingerprint validation for additional security layer - IP address and country tracking for audit purposes - Automatic expiration of old requests (15 minutes) - Only most recent request per device can be approved Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-20 21:00:41 +00:00 · 2026-06-12 13:12:11 +08:00
parent e9aef72df7
commit c652cc1533
27 changed files with 9187 additions and 92 deletions
@@ -5,13 +5,17 @@ const SIGNALR_RECORD_SEPARATOR = 0x1e;
 const SIGNALR_HANDSHAKE_ACK = new Uint8Array([0x7b, 0x7d, SIGNALR_RECORD_SEPARATOR]);
 const SIGNALR_UPDATE_TYPE_SYNC_VAULT = 5;
 const SIGNALR_UPDATE_TYPE_LOG_OUT = 11;
-const SIGNALR_UPDATE_TYPE_DEVICE_STATUS = 12;
 const SIGNALR_UPDATE_TYPE_BACKUP_RESTORE_PROGRESS = 13;
+const SIGNALR_UPDATE_TYPE_AUTH_REQUEST = 15;
+const SIGNALR_UPDATE_TYPE_AUTH_REQUEST_RESPONSE = 16;

 type HubProtocol = 'json' | 'messagepack';
+type HubKind = 'user' | 'anonymous-auth-request';

 interface WsAttachment {
-  userId: string;
+  kind: HubKind;
+  userId: string | null;
+  authRequestId: string | null;
  handshakeComplete: boolean;
  protocol: HubProtocol;
  deviceIdentifier: string | null;
@@ -137,11 +141,12 @@ function frameSignalRBinary(payload: Uint8Array): Uint8Array {
 function buildSignalRJsonInvocation(
  updateType: number,
  payload: Record<string, unknown>,
-  contextId: string | null
+  contextId: string | null,
+  target: string = 'ReceiveMessage'
 ): string {
  return JSON.stringify({
    type: 1,
-    target: 'ReceiveMessage',
+    target,
    arguments: [
        {
          ContextId: contextId,
@@ -155,7 +160,8 @@ function buildSignalRJsonInvocation(
 function buildSignalRMessagePackInvocation(
  updateType: number,
  messagePayload: Record<string, unknown>,
-  contextId: string | null
+  contextId: string | null,
+  target: string = 'ReceiveMessage'
 ): Uint8Array {
  // SignalR MessagePack hub protocol uses an array-based invocation shape:
  // [type, headers, invocationId, target, arguments]
@@ -163,7 +169,7 @@ function buildSignalRMessagePackInvocation(
    1,
    {},
    null,
-    'ReceiveMessage',
+    target,
    [
      {
        ContextId: contextId,
@@ -213,6 +219,20 @@ export class NotificationsHub extends DurableObject<Env> {
      return new Response(null, { status: 204 });
    }

+    if (url.pathname === '/internal/auth-request-response' && request.method === 'POST') {
+      const body = (await request.json().catch(() => null)) as {
+        userId?: string;
+        authRequestId?: string;
+        contextId?: string | null;
+      } | null;
+      const userId = String(body?.userId || '').trim();
+      const authRequestId = String(body?.authRequestId || '').trim();
+      if (!userId || !authRequestId) return new Response('Invalid auth request notification', { status: 400 });
+
+      this.broadcastAuthRequestResponse(userId, authRequestId, String(body?.contextId || '').trim() || null);
+      return new Response(null, { status: 204 });
+    }
+
    if (url.pathname === '/internal/online' && request.method === 'GET') {
      return new Response(JSON.stringify({ deviceIdentifiers: this.getOnlineDeviceIdentifiers() }), {
        status: 200,
@@ -222,7 +242,7 @@ export class NotificationsHub extends DurableObject<Env> {
      });
    }

-    if (url.pathname !== '/notifications/hub') {
+    if (url.pathname !== '/notifications/hub' && url.pathname !== '/notifications/anonymous-hub') {
      return new Response('Not found', { status: 404 });
    }

@@ -232,8 +252,13 @@ export class NotificationsHub extends DurableObject<Env> {

    const requestUserId = String(url.searchParams.get('nw_uid') || '').trim();
    const requestDeviceIdentifier = String(url.searchParams.get('nw_did') || '').trim() || null;
+    const requestAuthRequestId = String(url.searchParams.get('nw_auth_request_id') || '').trim() || null;
+    const isAnonymousAuthRequestHub = url.pathname === '/notifications/anonymous-hub';

-    if (!requestUserId) {
+    if (!isAnonymousAuthRequestHub && !requestUserId) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+    if (isAnonymousAuthRequestHub && !requestAuthRequestId) {
      return new Response('Unauthorized', { status: 401 });
    }

@@ -248,7 +273,9 @@ export class NotificationsHub extends DurableObject<Env> {
    this.ctx.acceptWebSocket(server, tags);

    server.serializeAttachment({
-      userId: requestUserId,
+      kind: isAnonymousAuthRequestHub ? 'anonymous-auth-request' : 'user',
+      userId: isAnonymousAuthRequestHub ? null : requestUserId,
+      authRequestId: requestAuthRequestId,
      handshakeComplete: false,
      protocol: 'messagepack',
      deviceIdentifier: requestDeviceIdentifier,
@@ -274,7 +301,6 @@ export class NotificationsHub extends DurableObject<Env> {
          attachment.handshakeComplete = true;
          ws.serializeAttachment(attachment);
          ws.send(SIGNALR_HANDSHAKE_ACK);
-          this.broadcastDeviceStatus(attachment.userId);
          return;
        } catch {
          // Ignore malformed pre-handshake payloads.
@@ -293,26 +319,22 @@ export class NotificationsHub extends DurableObject<Env> {
  }

  async webSocketClose(ws: WebSocket, code: number, reason: string, wasClean: boolean): Promise<void> {
-    const attachment = ws.deserializeAttachment() as WsAttachment | null;
-    const shouldBroadcast = !!attachment?.handshakeComplete;
-    if (shouldBroadcast && attachment?.userId) {
-      this.broadcastDeviceStatus(attachment.userId);
-    }
+    void ws;
+    void code;
+    void reason;
+    void wasClean;
  }

  async webSocketError(ws: WebSocket, error: unknown): Promise<void> {
-    const attachment = ws.deserializeAttachment() as WsAttachment | null;
-    const shouldBroadcast = !!attachment?.handshakeComplete;
-    if (shouldBroadcast && attachment?.userId) {
-      this.broadcastDeviceStatus(attachment.userId);
-    }
+    void ws;
+    void error;
  }

  private getOnlineDeviceIdentifiers(): string[] {
    const out = new Set<string>();
    for (const ws of this.ctx.getWebSockets()) {
      const attachment = ws.deserializeAttachment() as WsAttachment | null;
-      if (!attachment?.handshakeComplete || !attachment.deviceIdentifier) continue;
+      if (!attachment?.handshakeComplete || attachment.kind !== 'user' || !attachment.deviceIdentifier) continue;
      out.add(attachment.deviceIdentifier);
    }
    return Array.from(out);
@@ -349,16 +371,45 @@ export class NotificationsHub extends DurableObject<Env> {
    }
  }

-  private broadcastDeviceStatus(userId: string): void {
-    this.broadcastMessage(
-      SIGNALR_UPDATE_TYPE_DEVICE_STATUS,
-      {
+  private broadcastAuthRequestResponse(userId: string, authRequestId: string, contextId: string | null): void {
+    for (const ws of this.ctx.getWebSockets()) {
+      const attachment = ws.deserializeAttachment() as WsAttachment | null;
+      if (
+        !attachment?.handshakeComplete ||
+        attachment.kind !== 'anonymous-auth-request' ||
+        attachment.authRequestId !== authRequestId
+      ) {
+        continue;
+      }
+
+      const payload = {
        UserId: userId,
-        Date: new Date().toISOString(),
-      },
-      null,
-      null
-    );
+        Id: authRequestId,
+      };
+      try {
+        if (attachment.protocol === 'json') {
+          ws.send(buildSignalRJsonInvocation(
+            SIGNALR_UPDATE_TYPE_AUTH_REQUEST_RESPONSE,
+            payload,
+            contextId,
+            'AuthRequestResponseRecieved'
+          ));
+        } else {
+          ws.send(buildSignalRMessagePackInvocation(
+            SIGNALR_UPDATE_TYPE_AUTH_REQUEST_RESPONSE,
+            payload,
+            contextId,
+            'AuthRequestResponseRecieved'
+          ));
+        }
+      } catch {
+        try {
+          ws.close(1011, 'Notification send failed');
+        } catch {
+          // ignore close races
+        }
+      }
+    }
  }
 }

@@ -392,13 +443,59 @@ export async function getOnlineUserDevices(env: Env, userId: string): Promise<st
  }
 }

+export async function notifyAuthRequestResponse(
+  env: Env,
+  userId: string,
+  authRequestId: string,
+  contextId?: string | null
+): Promise<void> {
+  try {
+    const id = env.NOTIFICATIONS_HUB.idFromName(authRequestId);
+    const stub = env.NOTIFICATIONS_HUB.get(id);
+    await stub.fetch('https://notifications/internal/auth-request-response', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        userId,
+        authRequestId,
+        contextId: contextId || null,
+      }),
+    });
+  } catch (error) {
+    console.error('Failed to broadcast auth request response notification:', error);
+  }
+}
+
+export function notifyUserAuthRequest(
+  env: Env,
+  userId: string,
+  authRequestId: string,
+  contextId?: string | null
+): void {
+  waitUntil(notifyUserUpdate(
+    env,
+    userId,
+    SIGNALR_UPDATE_TYPE_AUTH_REQUEST,
+    new Date().toISOString(),
+    contextId ?? null,
+    null,
+    {
+      UserId: userId,
+      Id: authRequestId,
+    }
+  ));
+}
+
 async function notifyUserUpdate(
  env: Env,
  userId: string,
  updateType: number,
  revisionDate: string,
  contextId: string | null,
-  targetDeviceIdentifier: string | null
+  targetDeviceIdentifier: string | null,
+  payloadOverride?: Record<string, unknown> | null
 ): Promise<void> {
  try {
    const id = env.NOTIFICATIONS_HUB.idFromName(userId);
@@ -414,7 +511,7 @@ async function notifyUserUpdate(
        contextId: contextId || null,
        updateType,
        targetDeviceIdentifier: targetDeviceIdentifier || null,
-        payload: {
+        payload: payloadOverride || {
          UserId: userId,
          Date: revisionDate,
        },
@@ -0,0 +1,269 @@
+import type { AuthRequestRecord, AuthRequestType, Env } from '../types';
+import { StorageService } from '../services/storage';
+import { generateUUID } from '../utils/uuid';
+import { readAuthRequestDeviceInfo, readActingDeviceIdentifier } from '../utils/device';
+import { errorResponse, jsonResponse } from '../utils/response';
+import { isAuthRequestExpired } from '../services/storage-auth-request-repo';
+import { notifyAuthRequestResponse, notifyUserAuthRequest } from '../durable/notifications-hub';
+
+const AUTH_REQUEST_TYPE_AUTHENTICATE_AND_UNLOCK = 0;
+const AUTH_REQUEST_TYPE_UNLOCK = 1;
+const AUTH_REQUEST_TYPE_ADMIN_APPROVAL = 2;
+
+function normalizeText(value: unknown, maxLength: number): string {
+  return String(value ?? '').trim().slice(0, maxLength);
+}
+
+function getClientIp(request: Request): string | null {
+  return (
+    request.headers.get('CF-Connecting-IP') ||
+    request.headers.get('X-Forwarded-For')?.split(',')[0]?.trim() ||
+    null
+  );
+}
+
+function getCountryName(request: Request): string | null {
+  return request.headers.get('CF-IPCountry') || null;
+}
+
+function deviceTypeName(type: number): string {
+  const names: Record<number, string> = {
+    0: 'Android',
+    1: 'iOS',
+    2: 'Chrome Extension',
+    3: 'Firefox Extension',
+    4: 'Opera Extension',
+    5: 'Edge Extension',
+    6: 'Windows Desktop',
+    7: 'macOS Desktop',
+    8: 'Linux Desktop',
+    9: 'Chrome',
+    10: 'Firefox',
+    11: 'Opera',
+    12: 'Edge',
+    13: 'Internet Explorer',
+    14: 'Unknown Browser',
+    15: 'Android',
+    16: 'Windows UWP',
+    17: 'Safari',
+    18: 'Vivaldi',
+    19: 'Vivaldi Extension',
+    20: 'Safari Extension',
+    21: 'SDK',
+    22: 'Server',
+    23: 'Windows CLI',
+    24: 'macOS CLI',
+    25: 'Linux CLI',
+    26: 'DuckDuckGo',
+  };
+  return names[type] || `Device ${type}`;
+}
+
+function buildOrigin(request: Request): string {
+  return new URL(request.url).host;
+}
+
+function toAuthRequestResponse(request: Request, authRequest: AuthRequestRecord, requestDeviceId?: string | null) {
+  return {
+    id: authRequest.id,
+    Id: authRequest.id,
+    publicKey: authRequest.publicKey,
+    PublicKey: authRequest.publicKey,
+    requestDeviceIdentifier: authRequest.requestDeviceIdentifier,
+    RequestDeviceIdentifier: authRequest.requestDeviceIdentifier,
+    requestDeviceTypeValue: authRequest.requestDeviceType,
+    RequestDeviceTypeValue: authRequest.requestDeviceType,
+    requestDeviceType: deviceTypeName(authRequest.requestDeviceType),
+    RequestDeviceType: deviceTypeName(authRequest.requestDeviceType),
+    requestIpAddress: authRequest.requestIpAddress,
+    RequestIpAddress: authRequest.requestIpAddress,
+    requestCountryName: authRequest.requestCountryName,
+    RequestCountryName: authRequest.requestCountryName,
+    key: authRequest.key,
+    Key: authRequest.key,
+    masterPasswordHash: authRequest.masterPasswordHash,
+    MasterPasswordHash: authRequest.masterPasswordHash,
+    creationDate: authRequest.creationDate,
+    CreationDate: authRequest.creationDate,
+    responseDate: authRequest.responseDate,
+    ResponseDate: authRequest.responseDate,
+    requestApproved: authRequest.approved ?? false,
+    RequestApproved: authRequest.approved ?? false,
+    requestDeviceId: requestDeviceId ?? null,
+    RequestDeviceId: requestDeviceId ?? null,
+    origin: buildOrigin(request),
+    Origin: buildOrigin(request),
+    object: 'auth-request',
+    Object: 'auth-request',
+  };
+}
+
+function listResponse<T>(data: T[]) {
+  return {
+    data,
+    Data: data,
+    object: 'list',
+    Object: 'list',
+    continuationToken: null,
+    ContinuationToken: null,
+  };
+}
+
+async function readJsonBody(request: Request): Promise<Record<string, any> | null> {
+  try {
+    const body = await request.json();
+    return body && typeof body === 'object' ? body as Record<string, any> : null;
+  } catch {
+    return null;
+  }
+}
+
+function readBodyValue(body: Record<string, any>, names: string[]): unknown {
+  for (const name of names) {
+    if (body[name] !== undefined) return body[name];
+  }
+  return undefined;
+}
+
+function isSupportedAuthRequestType(value: number): value is AuthRequestType {
+  return value === AUTH_REQUEST_TYPE_AUTHENTICATE_AND_UNLOCK || value === AUTH_REQUEST_TYPE_UNLOCK || value === AUTH_REQUEST_TYPE_ADMIN_APPROVAL;
+}
+
+export async function handleCreateAuthRequest(request: Request, env: Env): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  const email = normalizeText(readBodyValue(body, ['email', 'Email']), 320).toLowerCase();
+  const publicKey = normalizeText(readBodyValue(body, ['publicKey', 'PublicKey']), 8192);
+  const accessCode = normalizeText(readBodyValue(body, ['accessCode', 'AccessCode']), 25);
+  const requestedType = Number(readBodyValue(body, ['type', 'Type']));
+  const type = Number.isFinite(requestedType) ? requestedType : AUTH_REQUEST_TYPE_AUTHENTICATE_AND_UNLOCK;
+  const deviceInfo = readAuthRequestDeviceInfo(
+    {
+      deviceIdentifier: normalizeText(readBodyValue(body, ['deviceIdentifier', 'DeviceIdentifier']), 128),
+      deviceName: normalizeText(readBodyValue(body, ['deviceName', 'DeviceName']), 128),
+      deviceType: String(readBodyValue(body, ['deviceType', 'DeviceType']) ?? ''),
+    },
+    request
+  );
+
+  if (!email || !publicKey || !accessCode || !deviceInfo.deviceIdentifier) {
+    return errorResponse('Email, public key, device identifier, and access code are required.', 400);
+  }
+  if (!isSupportedAuthRequestType(type) || type === AUTH_REQUEST_TYPE_ADMIN_APPROVAL) {
+    return errorResponse('Invalid auth request type.', 400);
+  }
+
+  const user = await storage.getUser(email);
+  if (!user || user.status !== 'active') {
+    return errorResponse('User or known device not found.', 400);
+  }
+
+  await storage.pruneExpiredAuthRequests();
+  const now = new Date().toISOString();
+  const authRequest: AuthRequestRecord = {
+    id: generateUUID(),
+    userId: user.id,
+    organizationId: null,
+    type,
+    requestDeviceIdentifier: deviceInfo.deviceIdentifier,
+    requestDeviceType: deviceInfo.deviceType,
+    requestIpAddress: getClientIp(request),
+    requestCountryName: getCountryName(request),
+    responseDeviceIdentifier: null,
+    accessCode,
+    publicKey,
+    key: null,
+    masterPasswordHash: null,
+    approved: null,
+    creationDate: now,
+    responseDate: null,
+    authenticationDate: null,
+  };
+  await storage.createAuthRequest(authRequest);
+  notifyUserAuthRequest(env, user.id, authRequest.id, deviceInfo.deviceIdentifier);
+  return jsonResponse(toAuthRequestResponse(request, authRequest));
+}
+
+export async function handleGetAuthRequest(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const authRequest = await storage.getAuthRequestById(id);
+  if (!authRequest || authRequest.userId !== userId) return errorResponse('Not found', 404);
+  return jsonResponse(toAuthRequestResponse(request, authRequest));
+}
+
+export async function handleGetAuthRequestResponse(request: Request, env: Env, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const url = new URL(request.url);
+  const accessCode = normalizeText(url.searchParams.get('code'), 25);
+  const authRequest = await storage.getAuthRequestById(id);
+  if (!authRequest || authRequest.accessCode !== accessCode || isAuthRequestExpired(authRequest)) {
+    return errorResponse('Not found', 404);
+  }
+  return jsonResponse(toAuthRequestResponse(request, authRequest));
+}
+
+export async function handleListAuthRequests(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const authRequests = await storage.listAuthRequestsByUserId(userId);
+  return jsonResponse(listResponse(authRequests.map((authRequest) => toAuthRequestResponse(request, authRequest))));
+}
+
+export async function handleListPendingAuthRequests(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  await storage.pruneExpiredAuthRequests();
+  const authRequests = await storage.listPendingAuthRequestsByUserId(userId);
+  const rows = await Promise.all(authRequests.map(async (authRequest) => {
+    const device = await storage.getDevice(userId, authRequest.requestDeviceIdentifier);
+    return toAuthRequestResponse(request, authRequest, device?.deviceIdentifier ?? authRequest.requestDeviceIdentifier);
+  }));
+  return jsonResponse(listResponse(rows));
+}
+
+export async function handleUpdateAuthRequest(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const body = await readJsonBody(request);
+  if (!body) return errorResponse('Invalid request payload', 400);
+
+  const authRequest = await storage.getAuthRequestById(id);
+  if (!authRequest || authRequest.userId !== userId || isAuthRequestExpired(authRequest)) {
+    return errorResponse('Not found', 404);
+  }
+  if (authRequest.approved !== null || authRequest.responseDate || authRequest.authenticationDate) {
+    return errorResponse('Auth request has already been answered.', 409);
+  }
+
+  const latestForUser = await storage.listPendingAuthRequestsByUserId(userId);
+  const latestForDevice = latestForUser.find((item) => item.requestDeviceIdentifier === authRequest.requestDeviceIdentifier);
+  if (latestForDevice?.id !== authRequest.id) {
+    return errorResponse('This request is no longer valid. Make sure to approve the most recent request.', 400);
+  }
+
+  const approved = Boolean(readBodyValue(body, ['requestApproved', 'RequestApproved']));
+  const key = normalizeText(readBodyValue(body, ['key', 'Key']), 20000);
+  const masterPasswordHash = normalizeText(readBodyValue(body, ['masterPasswordHash', 'MasterPasswordHash']), 20000) || null;
+  const responseDeviceIdentifier =
+    normalizeText(readBodyValue(body, ['deviceIdentifier', 'DeviceIdentifier']), 128) ||
+    readActingDeviceIdentifier(request) ||
+    'web';
+
+  if (approved && !key) {
+    return errorResponse('Encrypted key is required to approve the request.', 400);
+  }
+
+  const updated = await storage.updateAuthRequestResponse(id, userId, {
+    approved,
+    responseDeviceIdentifier,
+    key,
+    masterPasswordHash,
+  });
+  if (!updated) return errorResponse('Auth request has already been answered.', 409);
+  const updatedRequest = await storage.getAuthRequestById(id);
+  // Match Bitwarden upstream behavior: only approval wakes the originating anonymous
+  // client. Denials are not pushed to avoid leaking that a login attempt was rejected.
+  if (approved) {
+    await notifyAuthRequestResponse(env, userId, id);
+  }
+  return jsonResponse(toAuthRequestResponse(request, updatedRequest || authRequest));
+}
@@ -19,6 +19,7 @@ import {
  assertAccountPasskeyCredential,
  buildAccountPasskeyTokenUserDecryptionOption,
 } from './account-passkeys';
+import { isAuthRequestExpired } from '../services/storage-auth-request-repo';

 const TWO_FACTOR_REMEMBER_TTL_MS = 30 * 24 * 60 * 60 * 1000;
 const TWO_FACTOR_PROVIDER_AUTHENTICATOR = 0;
@@ -237,6 +238,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    // Login with password
    const email = body.username?.toLowerCase();
    const passwordHash = body.password;
+    const authRequestId = readBodyValue(body, ['authRequest', 'AuthRequest']);
    const twoFactorToken = readBodyValue(body, ['twoFactorToken', 'TwoFactorToken']);
    const twoFactorProvider = readBodyValue(body, ['twoFactorProvider', 'TwoFactorProvider']);
    const twoFactorRemember = readBodyValue(body, ['twoFactorRemember', 'TwoFactorRemember']);
@@ -281,11 +283,31 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
    }

-    const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
+    let validatedAuthRequestId: string | null = null;
+    let valid = false;
+    const normalizedAuthRequestId = String(authRequestId || '').trim();
+    if (normalizedAuthRequestId) {
+      const authRequest = await storage.getAuthRequestById(normalizedAuthRequestId);
+      valid = !!(
+        authRequest &&
+        authRequest.userId === user.id &&
+        authRequest.type === 0 &&
+        authRequest.approved === true &&
+        authRequest.responseDate &&
+        !authRequest.authenticationDate &&
+        !isAuthRequestExpired(authRequest) &&
+        constantTimeEquals(authRequest.accessCode, passwordHash)
+      );
+      if (valid) {
+        validatedAuthRequestId = authRequest!.id;
+      }
+    } else {
+      valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
+    }
    if (!valid) {
      await safeWriteAuditEvent(env, {
        actorUserId: user.id,
-        action: 'auth.login.failed.bad_password',
+        action: normalizedAuthRequestId ? 'auth.login.failed.bad_auth_request' : 'auth.login.failed.bad_password',
        category: 'auth',
        level: 'warn',
        targetType: 'user',
@@ -384,6 +406,9 @@ export async function handleToken(request: Request, env: Env): Promise<Response>

    // Successful login - clear failed attempts
    await rateLimit.clearLoginAttempts(loginIdentifier);
+    if (validatedAuthRequestId) {
+      await storage.markAuthRequestAuthenticated(validatedAuthRequestId);
+    }

    const accessToken = await auth.generateAccessToken(user, deviceSession);
    const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);
@@ -56,3 +56,18 @@ export async function handleNotificationsHub(request: Request, env: Env): Promis
  }
  return stub.fetch(new Request(forwardedUrl.toString(), request));
 }
+
+export async function handleAnonymousNotificationsHub(request: Request, env: Env): Promise<Response> {
+  const url = new URL(request.url);
+  const authRequestId = String(url.searchParams.get('Token') || url.searchParams.get('token') || '').trim();
+  if (!authRequestId) return errorResponse('Token is required', 400);
+  if (request.headers.get('Upgrade')?.toLowerCase() !== 'websocket') {
+    return errorResponse('Expected websocket', 426);
+  }
+
+  const id = env.NOTIFICATIONS_HUB.idFromName(authRequestId);
+  const stub = env.NOTIFICATIONS_HUB.get(id);
+  const forwardedUrl = new URL(request.url);
+  forwardedUrl.searchParams.set('nw_auth_request_id', authRequestId);
+  return stub.fetch(new Request(forwardedUrl.toString(), request));
+}
@@ -78,6 +78,12 @@ import {
  handleGetAccountPasskeyUpdateAssertionOptions,
  handleUpdateAccountPasskeyEncryption,
 } from './handlers/account-passkeys';
+import {
+  handleGetAuthRequest,
+  handleListAuthRequests,
+  handleListPendingAuthRequests,
+  handleUpdateAuthRequest,
+} from './handlers/auth-requests';

 export async function handleAuthenticatedRoute(
  request: Request,
@@ -285,8 +291,21 @@ export async function handleAuthenticatedRoute(
    if (method === 'DELETE') return handleDeleteFolder(request, env, userId, folderId);
  }

-  if (path.startsWith('/api/auth-requests')) {
-    return jsonResponse({ data: [], object: 'list', continuationToken: null });
+  if (path === '/api/auth-requests' || path === '/api/auth-requests/') {
+    if (method === 'GET') return handleListAuthRequests(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  if (path === '/api/auth-requests/pending') {
+    if (method === 'GET') return handleListPendingAuthRequests(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  const authRequestMatch = path.match(/^\/api\/auth-requests\/([a-f0-9-]+)$/i);
+  if (authRequestMatch) {
+    if (method === 'GET') return handleGetAuthRequest(request, env, userId, authRequestMatch[1]);
+    if (method === 'PUT') return handleUpdateAuthRequest(request, env, userId, authRequestMatch[1]);
+    return errorResponse('Method not allowed', 405);
  }

  if (path === '/api/collections' || path.startsWith('/api/collections/')) {
@@ -15,9 +15,14 @@ import {
  handleGetPasswordHint,
  handleRecoverTwoFactor,
 } from './handlers/accounts';
+import {
+  handleCreateAuthRequest,
+  handleGetAuthRequestResponse,
+} from './handlers/auth-requests';
 import { handlePublicDownloadAttachment } from './handlers/attachments';
 import { handlePublicUploadAttachment } from './handlers/attachments';
 import {
+  handleAnonymousNotificationsHub,
  handleNotificationsHub,
  handleNotificationsNegotiate,
 } from './handlers/notifications';
@@ -390,6 +395,19 @@ export async function handlePublicRoute(
    return handleDownloadSendFile(request, env, sendDownloadMatch[1], sendDownloadMatch[2]);
  }

+  if ((path === '/api/auth-requests' || path === '/api/auth-requests/') && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handleCreateAuthRequest(request, env);
+  }
+
+  const authRequestResponseMatch = path.match(/^\/api\/auth-requests\/([a-f0-9-]+)\/response$/i);
+  if (authRequestResponseMatch && method === 'GET') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handleGetAuthRequestResponse(request, env, authRequestResponseMatch[1]);
+  }
+
  if (path === '/identity/connect/token' && method === 'POST') {
    return handleToken(request, env);
  }
@@ -477,5 +495,9 @@ export async function handlePublicRoute(
  if (path === '/notifications/hub' && method === 'GET') {
    return handleNotificationsHub(request, env);
  }
+
+  if (path === '/notifications/anonymous-hub' && method === 'GET') {
+    return handleAnonymousNotificationsHub(request, env);
+  }
  return null;
 }
@@ -0,0 +1,139 @@
+import type { AuthRequestRecord, AuthRequestType } from '../types';
+
+const AUTH_REQUEST_EXPIRATION_MS = 15 * 60 * 1000;
+
+function mapAuthRequestRow(row: any): AuthRequestRecord {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    organizationId: row.organization_id ?? null,
+    type: Number(row.type) as AuthRequestType,
+    requestDeviceIdentifier: row.request_device_identifier,
+    requestDeviceType: Number(row.request_device_type ?? 14),
+    requestIpAddress: row.request_ip_address ?? null,
+    requestCountryName: row.request_country_name ?? null,
+    responseDeviceIdentifier: row.response_device_identifier ?? null,
+    accessCode: row.access_code,
+    publicKey: row.public_key,
+    key: row.key ?? null,
+    masterPasswordHash: row.master_password_hash ?? null,
+    approved: row.approved == null ? null : Number(row.approved) === 1,
+    creationDate: row.creation_date,
+    responseDate: row.response_date ?? null,
+    authenticationDate: row.authentication_date ?? null,
+  };
+}
+
+export function isAuthRequestExpired(request: AuthRequestRecord, nowMs: number = Date.now()): boolean {
+  return new Date(request.creationDate).getTime() + AUTH_REQUEST_EXPIRATION_MS <= nowMs;
+}
+
+const AUTH_REQUEST_SELECT =
+  'SELECT id, user_id, organization_id, type, request_device_identifier, request_device_type, request_ip_address, request_country_name, ' +
+  'response_device_identifier, access_code, public_key, key, master_password_hash, approved, creation_date, response_date, authentication_date ' +
+  'FROM auth_requests';
+
+export async function createAuthRequest(db: D1Database, request: AuthRequestRecord): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO auth_requests(' +
+        'id, user_id, organization_id, type, request_device_identifier, request_device_type, request_ip_address, request_country_name, ' +
+        'response_device_identifier, access_code, public_key, key, master_password_hash, approved, creation_date, response_date, authentication_date' +
+        ') VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'
+    )
+    .bind(
+      request.id,
+      request.userId,
+      request.organizationId,
+      request.type,
+      request.requestDeviceIdentifier,
+      request.requestDeviceType,
+      request.requestIpAddress,
+      request.requestCountryName,
+      request.responseDeviceIdentifier,
+      request.accessCode,
+      request.publicKey,
+      request.key,
+      request.masterPasswordHash,
+      request.approved == null ? null : (request.approved ? 1 : 0),
+      request.creationDate,
+      request.responseDate,
+      request.authenticationDate
+    )
+    .run();
+}
+
+export async function getAuthRequestById(db: D1Database, id: string): Promise<AuthRequestRecord | null> {
+  const row = await db.prepare(`${AUTH_REQUEST_SELECT} WHERE id = ? LIMIT 1`).bind(id).first<any>();
+  return row ? mapAuthRequestRow(row) : null;
+}
+
+export async function listAuthRequestsByUserId(db: D1Database, userId: string): Promise<AuthRequestRecord[]> {
+  const res = await db.prepare(`${AUTH_REQUEST_SELECT} WHERE user_id = ? ORDER BY creation_date DESC`).bind(userId).all<any>();
+  return (res.results || []).map(mapAuthRequestRow);
+}
+
+export async function listPendingAuthRequestsByUserId(db: D1Database, userId: string, nowMs: number = Date.now()): Promise<AuthRequestRecord[]> {
+  const cutoff = new Date(nowMs - AUTH_REQUEST_EXPIRATION_MS).toISOString();
+  const res = await db
+    .prepare(
+      'SELECT ar.id, ar.user_id, ar.organization_id, ar.type, ar.request_device_identifier, ar.request_device_type, ar.request_ip_address, ar.request_country_name, ' +
+        'ar.response_device_identifier, ar.access_code, ar.public_key, ar.key, ar.master_password_hash, ar.approved, ar.creation_date, ar.response_date, ar.authentication_date ' +
+        'FROM auth_requests ar ' +
+        'JOIN (' +
+        '  SELECT request_device_identifier, MAX(creation_date) AS latest_creation_date ' +
+        '  FROM auth_requests ' +
+        '  WHERE user_id = ? AND type IN (0, 1) AND approved IS NULL AND response_date IS NULL AND authentication_date IS NULL AND creation_date >= ? ' +
+        '  GROUP BY request_device_identifier' +
+        ') latest ON latest.request_device_identifier = ar.request_device_identifier AND latest.latest_creation_date = ar.creation_date ' +
+        'WHERE ar.user_id = ? AND ar.type IN (0, 1) AND ar.approved IS NULL AND ar.response_date IS NULL AND ar.authentication_date IS NULL ' +
+        'ORDER BY ar.creation_date DESC'
+    )
+    .bind(userId, cutoff, userId)
+    .all<any>();
+  return (res.results || []).map(mapAuthRequestRow).filter((request) => !isAuthRequestExpired(request, nowMs));
+}
+
+export async function updateAuthRequestResponse(
+  db: D1Database,
+  id: string,
+  userId: string,
+  update: {
+    approved: boolean;
+    responseDeviceIdentifier: string;
+    key?: string | null;
+    masterPasswordHash?: string | null;
+    responseDate?: string;
+  }
+): Promise<boolean> {
+  const result = await db
+    .prepare(
+      'UPDATE auth_requests SET approved = ?, response_device_identifier = ?, key = ?, master_password_hash = ?, response_date = ? ' +
+        'WHERE id = ? AND user_id = ? AND approved IS NULL AND response_date IS NULL AND authentication_date IS NULL'
+    )
+    .bind(
+      update.approved ? 1 : 0,
+      update.responseDeviceIdentifier,
+      update.approved ? (update.key ?? null) : null,
+      update.approved ? (update.masterPasswordHash ?? null) : null,
+      update.responseDate || new Date().toISOString(),
+      id,
+      userId
+    )
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function markAuthRequestAuthenticated(db: D1Database, id: string, authenticationDate: string = new Date().toISOString()): Promise<boolean> {
+  const result = await db
+    .prepare('UPDATE auth_requests SET authentication_date = ? WHERE id = ? AND authentication_date IS NULL')
+    .bind(authenticationDate, id)
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function pruneExpiredAuthRequests(db: D1Database, nowMs: number = Date.now()): Promise<number> {
+  const cutoff = new Date(nowMs - AUTH_REQUEST_EXPIRATION_MS).toISOString();
+  const result = await db.prepare('DELETE FROM auth_requests WHERE creation_date < ?').bind(cutoff).run();
+  return Number(result.meta.changes ?? 0);
+}
@@ -109,6 +109,15 @@ const SCHEMA_STATEMENTS: readonly string[] = [
  'ALTER TABLE devices ADD COLUMN last_seen_at TEXT',
  'CREATE INDEX IF NOT EXISTS idx_devices_user_last_seen ON devices(user_id, last_seen_at)',

+  'CREATE TABLE IF NOT EXISTS auth_requests (' +
+  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, organization_id TEXT, type INTEGER NOT NULL, request_device_identifier TEXT NOT NULL, request_device_type INTEGER NOT NULL, ' +
+  'request_ip_address TEXT, request_country_name TEXT, response_device_identifier TEXT, access_code TEXT NOT NULL, public_key TEXT NOT NULL, key TEXT, master_password_hash TEXT, ' +
+  'approved INTEGER, creation_date TEXT NOT NULL, response_date TEXT, authentication_date TEXT, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_auth_requests_user_created ON auth_requests(user_id, creation_date)',
+  'CREATE INDEX IF NOT EXISTS idx_auth_requests_user_pending ON auth_requests(user_id, approved, response_date, authentication_date, creation_date)',
+  'CREATE INDEX IF NOT EXISTS idx_auth_requests_device_pending ON auth_requests(user_id, request_device_identifier, creation_date)',
+
  'CREATE TABLE IF NOT EXISTS trusted_two_factor_device_tokens (' +
  'token TEXT PRIMARY KEY, user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, expires_at INTEGER NOT NULL, ' +
  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
@@ -1,4 +1,4 @@
-import { User, Cipher, Folder, Attachment, Device, Invite, AuditLog, Send, TrustedDeviceTokenSummary, RefreshTokenRecord, CustomEquivalentDomain, AccountPasskeyChallenge, AccountPasskeyChallengeScope, AccountPasskeyCredential } from '../types';
+import { User, Cipher, Folder, Attachment, Device, Invite, AuditLog, Send, TrustedDeviceTokenSummary, RefreshTokenRecord, CustomEquivalentDomain, AccountPasskeyChallenge, AccountPasskeyChallengeScope, AccountPasskeyCredential, AuthRequestRecord } from '../types';
 import { LIMITS } from '../config/limits';
 import { ensureStorageSchema } from './storage-schema';
 import {
@@ -103,6 +103,15 @@ import {
  updateDeviceKeys as updateStoredDeviceKeys,
  updateTrustedTwoFactorTokensExpiryByDevice as updateStoredTrustedTokensExpiryByDevice,
 } from './storage-device-repo';
+import {
+  createAuthRequest as createStoredAuthRequest,
+  getAuthRequestById as findStoredAuthRequestById,
+  listAuthRequestsByUserId as listStoredAuthRequestsByUserId,
+  listPendingAuthRequestsByUserId as listStoredPendingAuthRequestsByUserId,
+  markAuthRequestAuthenticated as markStoredAuthRequestAuthenticated,
+  pruneExpiredAuthRequests as pruneStoredExpiredAuthRequests,
+  updateAuthRequestResponse as updateStoredAuthRequestResponse,
+} from './storage-auth-request-repo';
 import {
  ensureUsedAttachmentDownloadTokenTable as ensureStoredAttachmentTokenTable,
  consumeAttachmentDownloadToken as consumeStoredAttachmentDownloadToken,
@@ -134,8 +143,8 @@ const STORAGE_SCHEMA_VERSION_KEY = 'schema.version';
 // Bump this whenever src/services/storage-schema.ts or migrations/0001_init.sql
 // changes. Existing D1 installs only rerun ensureStorageSchema() when this value
 // differs from config.schema.version.
-const STORAGE_SCHEMA_VERSION = '2026-06-09-account-passkeys';
-const REQUIRED_ACCOUNT_PASSKEY_TABLES = ['webauthn_credentials', 'webauthn_challenges'] as const;
+const STORAGE_SCHEMA_VERSION = '2026-06-12-auth-requests';
+const REQUIRED_SCHEMA_TABLES = ['webauthn_credentials', 'webauthn_challenges', 'auth_requests'] as const;

 // D1-backed storage.
 // Contract:
@@ -166,14 +175,14 @@ export class StorageService {
    return stmt.bind(...values.map(v => v === undefined ? null : v));
  }

-  private async hasAccountPasskeyTables(): Promise<boolean> {
-    const placeholders = REQUIRED_ACCOUNT_PASSKEY_TABLES.map(() => '?').join(', ');
+  private async hasRequiredSchemaTables(): Promise<boolean> {
+    const placeholders = REQUIRED_SCHEMA_TABLES.map(() => '?').join(', ');
    const result = await this.db
      .prepare(`SELECT name FROM sqlite_master WHERE type = 'table' AND name IN (${placeholders})`)
-      .bind(...REQUIRED_ACCOUNT_PASSKEY_TABLES)
+      .bind(...REQUIRED_SCHEMA_TABLES)
      .all<{ name: string }>();
    const found = new Set((result.results || []).map((row) => row.name));
-    return REQUIRED_ACCOUNT_PASSKEY_TABLES.every((table) => found.has(table));
+    return REQUIRED_SCHEMA_TABLES.every((table) => found.has(table));
  }

  private sqlChunkSize(fixedBindCount: number): number {
@@ -220,7 +229,7 @@ export class StorageService {
    await this.db.prepare('CREATE TABLE IF NOT EXISTS config (key TEXT PRIMARY KEY, value TEXT NOT NULL)').run();
    const schemaVersion = await getStoredConfigValue(this.db, STORAGE_SCHEMA_VERSION_KEY);
    const schemaMissingRequiredTables = schemaVersion === STORAGE_SCHEMA_VERSION
-      ? !(await this.hasAccountPasskeyTables())
+      ? !(await this.hasRequiredSchemaTables())
      : true;
    if (schemaVersion !== STORAGE_SCHEMA_VERSION || schemaMissingRequiredTables) {
      await ensureStorageSchema(this.db);
@@ -716,6 +725,45 @@ export class StorageService {
    return deleteStoredDevicesByUserId(this.db, userId);
  }

+  // --- Auth requests / Login with device ---
+
+  async createAuthRequest(request: AuthRequestRecord): Promise<void> {
+    await createStoredAuthRequest(this.db, request);
+  }
+
+  async getAuthRequestById(id: string): Promise<AuthRequestRecord | null> {
+    return findStoredAuthRequestById(this.db, id);
+  }
+
+  async listAuthRequestsByUserId(userId: string): Promise<AuthRequestRecord[]> {
+    return listStoredAuthRequestsByUserId(this.db, userId);
+  }
+
+  async listPendingAuthRequestsByUserId(userId: string): Promise<AuthRequestRecord[]> {
+    return listStoredPendingAuthRequestsByUserId(this.db, userId);
+  }
+
+  async updateAuthRequestResponse(
+    id: string,
+    userId: string,
+    update: {
+      approved: boolean;
+      responseDeviceIdentifier: string;
+      key?: string | null;
+      masterPasswordHash?: string | null;
+    }
+  ): Promise<boolean> {
+    return updateStoredAuthRequestResponse(this.db, id, userId, update);
+  }
+
+  async markAuthRequestAuthenticated(id: string): Promise<boolean> {
+    return markStoredAuthRequestAuthenticated(this.db, id);
+  }
+
+  async pruneExpiredAuthRequests(): Promise<number> {
+    return pruneStoredExpiredAuthRequests(this.db);
+  }
+
  async getTrustedDeviceTokenSummariesByUserId(userId: string): Promise<TrustedDeviceTokenSummary[]> {
    return listStoredTrustedTokenSummaries(this.db, userId);
  }
@@ -273,6 +273,28 @@ export interface DevicePendingAuthRequest {
  creationDate: string;
 }

+export type AuthRequestType = 0 | 1 | 2;
+
+export interface AuthRequestRecord {
+  id: string;
+  userId: string;
+  organizationId: string | null;
+  type: AuthRequestType;
+  requestDeviceIdentifier: string;
+  requestDeviceType: number;
+  requestIpAddress: string | null;
+  requestCountryName: string | null;
+  responseDeviceIdentifier: string | null;
+  accessCode: string;
+  publicKey: string;
+  key: string | null;
+  masterPasswordHash: string | null;
+  approved: boolean | null;
+  creationDate: string;
+  responseDate: string | null;
+  authenticationDate: string | null;
+}
+
 export interface DeviceResponse {
  id: string;
  userId?: string | null;