From 205fcbdcc16a85b80bf37d8d9e1f5e699db253a2 Mon Sep 17 00:00:00 2001
From: trisua <tri@swmff.org>
Date: Fri, 4 Apr 2025 21:42:08 -0400
Subject: [PATCH] add: user totp 2fa

---
 Cargo.lock                                    |  87 +++++++--
 crates/app/Cargo.toml                         |   6 +-
 crates/app/src/langs/en-US.toml               |   1 +
 crates/app/src/public/html/auth/login.html    |  73 +++++--
 .../src/public/html/communities/settings.html |   2 +-
 crates/app/src/public/html/components.html    |   4 +-
 crates/app/src/public/html/mod/audit_log.html |   2 +-
 crates/app/src/public/html/mod/ip_bans.html   |   2 +-
 crates/app/src/public/html/mod/reports.html   |   2 +-
 crates/app/src/public/html/profile/base.html  |  10 +-
 .../app/src/public/html/profile/settings.html | 179 +++++++++++++++++-
 crates/app/src/public/js/atto.js              |   6 +-
 crates/app/src/public/js/me.js                |   4 +-
 crates/app/src/routes/api/v1/auth/images.rs   |   4 +-
 crates/app/src/routes/api/v1/auth/mod.rs      |   5 +
 crates/app/src/routes/api/v1/auth/profile.rs  | 132 ++++++++++++-
 crates/app/src/routes/api/v1/auth/social.rs   |   2 +-
 .../src/routes/api/v1/communities/images.rs   |  14 +-
 crates/app/src/routes/api/v1/mod.rs           |  62 +++---
 crates/core/Cargo.toml                        |   1 +
 crates/core/src/database/auth.rs              | 139 +++++++++++++-
 crates/core/src/database/communities.rs       |  29 +--
 crates/core/src/database/memberships.rs       |   2 +-
 crates/core/src/database/posts.rs             |   6 +-
 crates/core/src/database/reactions.rs         |   4 +-
 crates/core/src/model/auth.rs                 |  29 +++
 crates/core/src/model/permissions.rs          |   1 +
 crates/shared/Cargo.toml                      |   2 +-
 sql_upgrades/totp.sql                         |   5 +
 29 files changed, 699 insertions(+), 116 deletions(-)
 create mode 100644 sql_upgrades/totp.sql

diff --git a/Cargo.lock b/Cargo.lock
index 54efba0..8b347ed 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -204,9 +204,9 @@ dependencies = [
 
 [[package]]
 name = "axum"
-version = "0.8.1"
+version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d6fd624c75e18b3b4c6b9caf42b1afe24437daaee904069137d8bab077be8b8"
+checksum = "de45108900e1f9b9242f7f2e254aa3e2c029c921c258fe9e6b4217eeebd54288"
 dependencies = [
  "axum-core",
  "axum-macros",
@@ -239,12 +239,12 @@ dependencies = [
 
 [[package]]
 name = "axum-core"
-version = "0.5.0"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df1362f362fd16024ae199c1970ce98f9661bf5ef94b9808fee734bc3698b733"
+checksum = "68464cd0412f486726fb3373129ef5d2993f90c34bc2bc1c1e9943b2f4fc7ca6"
 dependencies = [
  "bytes",
- "futures-util",
+ "futures-core",
  "http",
  "http-body",
  "http-body-util",
@@ -259,9 +259,9 @@ dependencies = [
 
 [[package]]
 name = "axum-extra"
-version = "0.10.0"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "460fc6f625a1f7705c6cf62d0d070794e94668988b1c38111baeec177c715f7b"
+checksum = "45bf463831f5131b7d3c756525b305d40f1185b688565648a92e1392ca35713d"
 dependencies = [
  "axum",
  "axum-core",
@@ -275,6 +275,7 @@ dependencies = [
  "mime",
  "multer",
  "pin-project-lite",
+ "rustversion",
  "serde",
  "tower",
  "tower-layer",
@@ -307,6 +308,12 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "base32"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23ce669cd6c8588f79e15cf450314f9638f967fc5770ff1c7c1deb0925ea7cfa"
+
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -616,9 +623,9 @@ dependencies = [
 
 [[package]]
 name = "comrak"
-version = "0.36.0"
+version = "0.37.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5afa2702ef2fecc5bd7ca605f37e875a6be3fc8138c4633e711a945b70351550"
+checksum = "2a4f05e73ca9a30af27bebc13600f91fd1651b2ec7d139ca82a89df7ca583af1"
 dependencies = [
  "bon",
  "caseless",
@@ -633,6 +640,12 @@ dependencies = [
  "xdg",
 ]
 
+[[package]]
+name = "constant_time_eq"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "21a53c0a4d288377e7415b53dcfc3c04da5cdc2cc95c8d5ac178b58f0b861ad6"
+
 [[package]]
 name = "cookie"
 version = "0.18.1"
@@ -1490,9 +1503,9 @@ dependencies = [
 
 [[package]]
 name = "image"
-version = "0.25.5"
+version = "0.25.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd6f44aed642f18953a158afeb30206f4d50da59fbc66ecb53c66488de73563b"
+checksum = "db35664ce6b9810857a38a906215e75a9c879f0696556a39f59c62829710251a"
 dependencies = [
  "bytemuck",
  "byteorder-lite",
@@ -2283,6 +2296,23 @@ dependencies = [
  "bytemuck",
 ]
 
+[[package]]
+name = "qrcodegen"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4339fc7a1021c9c1621d87f5e3505f2805c8c105420ba2f2a4df86814590c142"
+
+[[package]]
+name = "qrcodegen-image"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "221b7eace1aef8c95d65dbe09fb7a1a43d006045394a89afba6997721fcb7708"
+dependencies = [
+ "base64",
+ "image",
+ "qrcodegen",
+]
+
 [[package]]
 name = "quick-error"
 version = "2.0.1"
@@ -2808,6 +2838,17 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
 [[package]]
 name = "sha1_smol"
 version = "1.0.1"
@@ -3152,6 +3193,7 @@ dependencies = [
  "tetratto-shared",
  "tokio-postgres",
  "toml",
+ "totp-rs",
 ]
 
 [[package]]
@@ -3416,6 +3458,23 @@ dependencies = [
  "winnow",
 ]
 
+[[package]]
+name = "totp-rs"
+version = "5.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17b2f27dad992486c26b4e7455f38aa487e838d6d61b57e72906ee2b8c287a90"
+dependencies = [
+ "base32",
+ "constant_time_eq",
+ "hmac",
+ "qrcodegen-image",
+ "rand 0.8.5",
+ "sha1",
+ "sha2",
+ "url",
+ "urlencoding",
+]
+
 [[package]]
 name = "tower"
 version = "0.5.2"
@@ -3661,6 +3720,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "urlencoding"
+version = "2.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
+
 [[package]]
 name = "utf-8"
 version = "0.7.6"
diff --git a/crates/app/Cargo.toml b/crates/app/Cargo.toml
index 68e9544..06c44e7 100644
--- a/crates/app/Cargo.toml
+++ b/crates/app/Cargo.toml
@@ -16,16 +16,16 @@ tera = "1.20.0"
 tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
 tower-http = { version = "0.6.2", features = ["trace", "fs"] }
-axum = { version = "0.8.1", features = ["macros"] }
+axum = { version = "0.8.3", features = ["macros"] }
 tokio = { version = "1.44.1", features = ["macros", "rt-multi-thread"] }
-axum-extra = { version = "0.10.0", features = ["cookie", "multipart"] }
+axum-extra = { version = "0.10.1", features = ["cookie", "multipart"] }
 tetratto-shared = { path = "../shared" }
 tetratto-core = { path = "../core", features = [
     "redis",
 ], default-features = false }
 tetratto-l10n = { path = "../l10n" }
 
-image = "0.25.5"
+image = "0.25.6"
 reqwest = { version = "0.12.15", features = ["json", "stream"] }
 regex = "1.11.1"
 serde_json = "1.0.140"
diff --git a/crates/app/src/langs/en-US.toml b/crates/app/src/langs/en-US.toml
index 30164fe..6275570 100644
--- a/crates/app/src/langs/en-US.toml
+++ b/crates/app/src/langs/en-US.toml
@@ -89,6 +89,7 @@ version = "1.0.0"
 "settings:label.new_password" = "New password"
 "settings:label.change_username" = "Change username"
 "settings:label.new_username" = "New username"
+"settings:label.two_factor_authentication" = "Two-factor authentication"
 "settings:label.change_avatar" = "Change avatar"
 "settings:label.change_banner" = "Change banner"
 
diff --git a/crates/app/src/public/html/auth/login.html b/crates/app/src/public/html/auth/login.html
index 68757d4..943676e 100644
--- a/crates/app/src/public/html/auth/login.html
+++ b/crates/app/src/public/html/auth/login.html
@@ -2,34 +2,68 @@
 <title>Login</title>
 {% endblock %} {% block title %}Login{% endblock %} {% block content %}
 <form class="w-full flex flex-col gap-4" onsubmit="login(event)">
-    <div class="flex flex-col gap-1">
-        <label for="username"><b>Username</b></label>
-        <input
-            type="text"
-            placeholder="username"
-            required
-            name="username"
-            id="username"
-        />
+    <div id="flow_1" style="display: contents">
+        <div class="flex flex-col gap-1">
+            <label for="username"><b>Username</b></label>
+            <input
+                type="text"
+                placeholder="username"
+                required
+                name="username"
+                id="username"
+            />
+        </div>
+
+        <div class="flex flex-col gap-1">
+            <label for="username"><b>Password</b></label>
+            <input
+                type="password"
+                placeholder="password"
+                required
+                name="password"
+                id="password"
+            />
+        </div>
     </div>
 
-    <div class="flex flex-col gap-1">
-        <label for="username"><b>Password</b></label>
-        <input
-            type="password"
-            placeholder="password"
-            required
-            name="password"
-            id="password"
-        />
+    <div id="flow_2" style="display: none">
+        <div class="flex flex-col gap-1">
+            <label for="totp"><b>TOTP code</b></label>
+            <input type="text" placeholder="totp code" name="totp" id="totp" />
+        </div>
     </div>
 
     <button>Submit</button>
 </form>
 
 <script>
-    function login(e) {
+    let flow_page = 1;
+
+    function next_page() {
+        document.getElementById(`flow_${flow_page}`).style.display = "none";
+        flow_page += 1;
+        document.getElementById(`flow_${flow_page}`).style.display = "contents";
+    }
+
+    async function login(e) {
         e.preventDefault();
+
+        if (flow_page === 1) {
+            // check if we need TOTP
+            const res = await (
+                await fetch(
+                    `/api/v1/auth/user/${e.target.username.value}/totp/check`,
+                )
+            ).json();
+
+            trigger("atto::toast", [res.ok ? "success" : "error", res.message]);
+
+            if (res.ok && res.payload) {
+                // user exists AND totp is required
+                return next_page();
+            }
+        }
+
         fetch("/api/v1/auth/login", {
             method: "POST",
             headers: {
@@ -38,6 +72,7 @@
             body: JSON.stringify({
                 username: e.target.username.value,
                 password: e.target.password.value,
+                totp: e.target.totp.value,
             }),
         })
             .then((res) => res.json())
diff --git a/crates/app/src/public/html/communities/settings.html b/crates/app/src/public/html/communities/settings.html
index f30cc8b..7c5f099 100644
--- a/crates/app/src/public/html/communities/settings.html
+++ b/crates/app/src/public/html/communities/settings.html
@@ -416,7 +416,7 @@
 
                     // ...
                     element.innerHTML = `<div class="flex gap-2 flex-wrap" ui_ident="actions">
-                        <a target="_blank" class="button" href="/api/v1/auth/profile/find/${e.target.uid.value}">Open user profile</a>
+                        <a target="_blank" class="button" href="/api/v1/auth/user/find/${e.target.uid.value}">Open user profile</a>
                         ${res.payload.role !== 33 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 33)">Ban</button>` : `<button class="quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Unban</button>`}
                         ${res.payload.role !== 65 ? `<button class="red quaternary" onclick="update_user_role('${e.target.uid.value}', 65)">Send to review</button>` : `<button class="green quaternary" onclick="update_user_role('${e.target.uid.value}', 5)">Accept join request</button>`}
                         <button class="red quaternary" onclick="kick_user('${e.target.uid.value}')">Kick</button>
diff --git a/crates/app/src/public/html/components.html b/crates/app/src/public/html/components.html
index 81877f2..27ccee1 100644
--- a/crates/app/src/public/html/components.html
+++ b/crates/app/src/public/html/components.html
@@ -1,7 +1,7 @@
 {% macro avatar(username, size="24px", selector_type="username") -%}
 <img
     title="{{ username }}'s avatar"
-    src="/api/v1/auth/profile/{{ username }}/avatar?selector_type={{ selector_type }}"
+    src="/api/v1/auth/user/{{ username }}/avatar?selector_type={{ selector_type }}"
     alt="@{{ username }}"
     class="avatar shadow"
     loading="lazy"
@@ -28,7 +28,7 @@
 border_radius="var(--radius)") -%}
 <img
     title="{{ username }}'s banner"
-    src="/api/v1/auth/profile/{{ username }}/banner"
+    src="/api/v1/auth/user/{{ username }}/banner"
     alt="@{{ username }}'s banner"
     class="banner shadow"
     loading="lazy"
diff --git a/crates/app/src/public/html/mod/audit_log.html b/crates/app/src/public/html/mod/audit_log.html
index e9cf026..a7dd0b7 100644
--- a/crates/app/src/public/html/mod/audit_log.html
+++ b/crates/app/src/public/html/mod/audit_log.html
@@ -14,7 +14,7 @@
             <div class="card-nest">
                 <a
                     class="card small flex items-center gap-2 flush"
-                    href="/api/v1/auth/profile/find/{{ item.moderator }}"
+                    href="/api/v1/auth/user/find/{{ item.moderator }}"
                 >
                     <!-- prettier-ignore -->
                     {{ components::avatar(username=item.moderator, selector_type="id") }}
diff --git a/crates/app/src/public/html/mod/ip_bans.html b/crates/app/src/public/html/mod/ip_bans.html
index c1f32bf..513f3c4 100644
--- a/crates/app/src/public/html/mod/ip_bans.html
+++ b/crates/app/src/public/html/mod/ip_bans.html
@@ -14,7 +14,7 @@
             <div class="card-nest">
                 <a
                     class="card small flex items-center gap-2 flush"
-                    href="/api/v1/auth/profile/find/{{ item.moderator }}"
+                    href="/api/v1/auth/user/find/{{ item.moderator }}"
                 >
                     <!-- prettier-ignore -->
                     {{ components::avatar(username=item.moderator, selector_type="id") }}
diff --git a/crates/app/src/public/html/mod/reports.html b/crates/app/src/public/html/mod/reports.html
index b6c99ad..47a991d 100644
--- a/crates/app/src/public/html/mod/reports.html
+++ b/crates/app/src/public/html/mod/reports.html
@@ -14,7 +14,7 @@
             <div class="card-nest">
                 <a
                     class="card small flex items-center gap-2 flush"
-                    href="/api/v1/auth/profile/find/{{ item.owner }}"
+                    href="/api/v1/auth/user/find/{{ item.owner }}"
                 >
                     <!-- prettier-ignore -->
                     {{ components::avatar(username=item.owner, selector_type="id") }}
diff --git a/crates/app/src/public/html/profile/base.html b/crates/app/src/public/html/profile/base.html
index 812cbbf..9199d16 100644
--- a/crates/app/src/public/html/profile/base.html
+++ b/crates/app/src/public/html/profile/base.html
@@ -131,7 +131,7 @@
                         <script>
                             globalThis.toggle_follow_user = () => {
                                 fetch(
-                                    "/api/v1/auth/profile/{{ profile.id }}/follow",
+                                    "/api/v1/auth/user/{{ profile.id }}/follow",
                                     {
                                         method: "POST",
                                     },
@@ -155,7 +155,7 @@
                                 }
 
                                 fetch(
-                                    "/api/v1/auth/profile/{{ profile.id }}/block",
+                                    "/api/v1/auth/user/{{ profile.id }}/block",
                                     {
                                         method: "POST",
                                     },
@@ -264,7 +264,7 @@
                                     }
 
                                     fetch(
-                                        `/api/v1/auth/profile/{{ profile.id }}/${path}`,
+                                        `/api/v1/auth/user/{{ profile.id }}/${path}`,
                                         {
                                             method: "POST",
                                             headers: {
@@ -295,7 +295,7 @@
                                     }
 
                                     fetch(
-                                        "/api/v1/auth/profile/{{ profile.id }}",
+                                        "/api/v1/auth/user/{{ profile.id }}",
                                         {
                                             method: "DELETE",
                                             headers: {
@@ -328,7 +328,7 @@
                                     }
 
                                     fetch(
-                                        `/api/v1/auth/profile/{{ profile.id }}/role`,
+                                        `/api/v1/auth/user/{{ profile.id }}/role`,
                                         {
                                             method: "POST",
                                             headers: {
diff --git a/crates/app/src/public/html/profile/settings.html b/crates/app/src/public/html/profile/settings.html
index 9fc92d0..67e183d 100644
--- a/crates/app/src/public/html/profile/settings.html
+++ b/crates/app/src/public/html/profile/settings.html
@@ -100,6 +100,60 @@
                     </button>
                 </form>
             </div>
+
+            <div class="card-nest" ui_ident="two_factor_authentication">
+                <div class="card small">
+                    <b>{{ text "settings:label.two_factor_authentication" }}</b>
+                </div>
+
+                <div class="card flex flex-col gap-2">
+                    {% if profile.totp|length == 0 %}
+                    <div id="totp_stuff" style="display: none">
+                        <span
+                            >Scan this QR code in a TOTP authenticator app (like
+                            Google Authenticator):
+                        </span>
+
+                        <img id="totp_qr" style="max-width: 250px" />
+
+                        <span>TOTP secret (do NOT share):</span>
+                        <pre id="totp_secret"></pre>
+
+                        <span
+                            >Recovery codes (STORE SAFELY, these can only be
+                            viewed once):</span
+                        >
+
+                        <pre id="totp_recovery_codes"></pre>
+                    </div>
+
+                    <button
+                        class="quaternary green"
+                        onclick="enable_totp(event)"
+                    >
+                        Enable TOTP 2FA
+                    </button>
+                    {% else %}
+                    <pre id="totp_recovery_codes" style="display: none"></pre>
+
+                    <div class="flex gap-2 flex-wrap">
+                        <button
+                            class="quaternary red"
+                            onclick="refresh_totp_codes(event)"
+                        >
+                            Refresh recovery codes
+                        </button>
+
+                        <button
+                            class="quaternary red"
+                            onclick="disable_totp(event)"
+                        >
+                            Disable TOTP 2FA
+                        </button>
+                    </div>
+                    {% endif %}
+                </div>
+            </div>
         </div>
 
         <div class="card-nest" ui_ident="change_password">
@@ -244,8 +298,7 @@
                 {% if is_helper %}
                 <span class="flex gap-2 items-center">
                     <span class="fade"
-                        ><a
-                            href="/api/v1/auth/profile/find_by_ip/{{ token[0] }}"
+                        ><a href="/api/v1/auth/user/find_by_ip/{{ token[0] }}"
                             ><code>{{ token[0] }}</code></a
                         ></span
                     >
@@ -296,7 +349,7 @@
                 tokens = new_tokens;
 
                 // send request to save
-                fetch("/api/v1/auth/profile/{{ profile.id }}/tokens", {
+                fetch("/api/v1/auth/user/{{ profile.id }}/tokens", {
                     method: "POST",
                     headers: {
                         "Content-Type": "application/json",
@@ -313,7 +366,7 @@
             };
 
             globalThis.save_settings = () => {
-                fetch("/api/v1/auth/profile/{{ profile.id }}/settings", {
+                fetch("/api/v1/auth/user/{{ profile.id }}/settings", {
                     method: "POST",
                     headers: {
                         "Content-Type": "application/json",
@@ -331,7 +384,7 @@
 
             globalThis.change_password = (e) => {
                 e.preventDefault();
-                fetch("/api/v1/auth/profile/{{ profile.id }}/password", {
+                fetch("/api/v1/auth/user/{{ profile.id }}/password", {
                     method: "POST",
                     headers: {
                         "Content-Type": "application/json",
@@ -361,7 +414,7 @@
                     return;
                 }
 
-                fetch("/api/v1/auth/profile/{{ profile.id }}/username", {
+                fetch("/api/v1/auth/user/{{ profile.id }}/username", {
                     method: "POST",
                     headers: {
                         "Content-Type": "application/json",
@@ -390,7 +443,7 @@
                     return;
                 }
 
-                fetch("/api/v1/auth/profile/{{ profile.id }}", {
+                fetch("/api/v1/auth/user/{{ profile.id }}", {
                     method: "DELETE",
                     headers: {
                         "Content-Type": "application/json",
@@ -454,6 +507,117 @@
                 alert("Banner upload in progress. Please wait!");
             };
 
+            globalThis.enable_totp = async (event) => {
+                if (
+                    !(await trigger("atto::confirm", [
+                        "Are you sure you want to do this? You must have access to your TOTP codes to disable TOTP.",
+                    ]))
+                ) {
+                    return;
+                }
+
+                fetch("/api/v1/auth/user/{{ user.id }}/totp", {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                    },
+                })
+                    .then((res) => res.json())
+                    .then((res) => {
+                        trigger("atto::toast", [
+                            res.ok ? "success" : "error",
+                            res.message,
+                        ]);
+
+                        const [secret, qr, recovery_codes] = res.payload;
+
+                        document.getElementById("totp_secret").innerText =
+                            secret;
+                        document.getElementById("totp_qr").src =
+                            `data:image/png;base64,${qr}`;
+                        document.getElementById(
+                            "totp_recovery_codes",
+                        ).innerText = recovery_codes.join("\n");
+
+                        document.getElementById("totp_stuff").style.display =
+                            "contents";
+                        event.target.remove();
+                    });
+            };
+
+            globalThis.disable_totp = async (event) => {
+                if (
+                    !(await trigger("atto::confirm", [
+                        "Are you sure you want to do this?",
+                    ]))
+                ) {
+                    return;
+                }
+
+                const totp_code = await trigger("atto::prompt", ["TOTP code:"]);
+
+                if (!totp_code) {
+                    return;
+                }
+
+                fetch("/api/v1/auth/user/{{ profile.id }}/totp", {
+                    method: "DELETE",
+                    headers: {
+                        "Content-Type": "application/json",
+                    },
+                    body: JSON.stringify({ totp: totp_code }),
+                })
+                    .then((res) => res.json())
+                    .then((res) => {
+                        trigger("atto::toast", [
+                            res.ok ? "success" : "error",
+                            res.message,
+                        ]);
+
+                        event.target.remove();
+                    });
+            };
+
+            globalThis.refresh_totp_codes = async (event) => {
+                if (
+                    !(await trigger("atto::confirm", [
+                        "Are you sure you want to do this? The old codes will no longer work.",
+                    ]))
+                ) {
+                    return;
+                }
+
+                const totp_code = await trigger("atto::prompt", ["TOTP code:"]);
+
+                if (!totp_code) {
+                    return;
+                }
+
+                fetch("/api/v1/auth/user/{{ profile.id }}/totp/codes", {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                    },
+                    body: JSON.stringify({ totp: totp_code }),
+                })
+                    .then((res) => res.json())
+                    .then((res) => {
+                        trigger("atto::toast", [
+                            res.ok ? "success" : "error",
+                            res.message,
+                        ]);
+
+                        document.getElementById(
+                            "totp_recovery_codes",
+                        ).innerText = res.payload.join("\n");
+                        document.getElementById(
+                            "totp_recovery_codes",
+                        ).style.display = "block";
+
+                        event.target.remove();
+                    });
+            };
+
             const account_settings =
                 document.getElementById("account_settings");
             const profile_settings =
@@ -462,6 +626,7 @@
             ui.refresh_container(account_settings, [
                 "change_password",
                 "change_username",
+                "two_factor_authentication",
             ]);
             ui.refresh_container(profile_settings, [
                 "theme_preference",
diff --git a/crates/app/src/public/js/atto.js b/crates/app/src/public/js/atto.js
index aec59eb..50a96e3 100644
--- a/crates/app/src/public/js/atto.js
+++ b/crates/app/src/public/js/atto.js
@@ -415,9 +415,7 @@ media_theme_pref();
             try {
                 const href = new URL(anchor.href);
 
-                if (
-                    href.pathname.startsWith("/api/v1/auth/profile/find_by_ip/")
-                ) {
+                if (href.pathname.startsWith("/api/v1/auth/user/find_by_ip/")) {
                     const ban_button = document.createElement("button");
                     ban_button.innerText = "Ban IP";
                     ban_button.className = "quaternary red small";
@@ -428,7 +426,7 @@ media_theme_pref();
 
                         $.ban_ip(
                             href.pathname.replace(
-                                "/api/v1/auth/profile/find_by_ip/",
+                                "/api/v1/auth/user/find_by_ip/",
                                 "",
                             ),
                         );
diff --git a/crates/app/src/public/js/me.js b/crates/app/src/public/js/me.js
index 3942020..e8fe7ce 100644
--- a/crates/app/src/public/js/me.js
+++ b/crates/app/src/public/js/me.js
@@ -156,7 +156,7 @@
     });
 
     self.define("seen", () => {
-        fetch("/api/v1/auth/profile/me/seen", {
+        fetch("/api/v1/auth/user/me/seen", {
             method: "POST",
         })
             .then((res) => res.json())
@@ -196,7 +196,7 @@
             element.innerHTML += `<button class="quaternary w-full justify-start" onclick="trigger('me::login', ['${token[0]}'])">
                 <img
                     title="${token[0]}'s avatar"
-                    src="/api/v1/auth/profile/${token[0]}/avatar?selector_type=username"
+                    src="/api/v1/auth/user/${token[0]}/avatar?selector_type=username"
                     alt="Avatar image"
                     class="avatar"
                     style="--size: 24px"
diff --git a/crates/app/src/routes/api/v1/auth/images.rs b/crates/app/src/routes/api/v1/auth/images.rs
index c5f5441..3c0fd56 100644
--- a/crates/app/src/routes/api/v1/auth/images.rs
+++ b/crates/app/src/routes/api/v1/auth/images.rs
@@ -43,7 +43,7 @@ pub struct AvatarSelectorQuery {
 }
 
 /// Get a profile's avatar image
-/// `/api/v1/auth/profile/{id}/avatar`
+/// `/api/v1/auth/user/{id}/avatar`
 pub async fn avatar_request(
     Path(selector): Path<String>,
     Extension(data): Extension<State>,
@@ -94,7 +94,7 @@ pub async fn avatar_request(
 }
 
 /// Get a profile's banner image
-/// `/api/v1/auth/profile/{id}/banner`
+/// `/api/v1/auth/user/{id}/banner`
 pub async fn banner_request(
     Path(username): Path<String>,
     Extension(data): Extension<State>,
diff --git a/crates/app/src/routes/api/v1/auth/mod.rs b/crates/app/src/routes/api/v1/auth/mod.rs
index 0d51c02..3645674 100644
--- a/crates/app/src/routes/api/v1/auth/mod.rs
+++ b/crates/app/src/routes/api/v1/auth/mod.rs
@@ -140,6 +140,11 @@ pub async fn login_request(
         return (None, Json(Error::IncorrectPassword.into()));
     }
 
+    // verify totp code
+    if !data.check_totp(&user, &props.totp) {
+        return (None, Json(Error::NotAllowed.into()));
+    }
+
     // update tokens
     let mut new_tokens = user.tokens.clone();
     let (unhashed_token_id, token) = User::create_token(&real_ip);
diff --git a/crates/app/src/routes/api/v1/auth/profile.rs b/crates/app/src/routes/api/v1/auth/profile.rs
index 11ded2b..5e9466e 100644
--- a/crates/app/src/routes/api/v1/auth/profile.rs
+++ b/crates/app/src/routes/api/v1/auth/profile.rs
@@ -1,9 +1,11 @@
 use crate::{
-    State, get_user_from_token,
+    get_user_from_token,
     model::{ApiReturn, Error},
     routes::api::v1::{
-        DeleteUser, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole, UpdateUserUsername,
+        DeleteUser, DisableTotp, UpdateUserIsVerified, UpdateUserPassword, UpdateUserRole,
+        UpdateUserUsername,
     },
+    State,
 };
 use axum::{
     Extension, Json,
@@ -11,9 +13,12 @@ use axum::{
     response::{IntoResponse, Redirect},
 };
 use axum_extra::extract::CookieJar;
-use tetratto_core::model::{
-    auth::{Token, UserSettings},
-    permissions::FinePermission,
+use tetratto_core::{
+    model::{
+        auth::{Token, UserSettings},
+        permissions::FinePermission,
+    },
+    DataManager,
 };
 
 pub async fn redirect_from_id(
@@ -264,3 +269,120 @@ pub async fn delete_user_request(
         Err(e) => Json(e.into()),
     }
 }
+
+/// Enable TOTP for a user.
+pub async fn enable_totp_request(
+    jar: CookieJar,
+    Path(id): Path<usize>,
+    Extension(data): Extension<State>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    match data.enable_totp(id, user).await {
+        Ok(x) => Json(ApiReturn {
+            ok: true,
+            message: "TOTP enabled".to_string(),
+            payload: Some(x),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
+
+/// Disable TOTP for a user.
+pub async fn disable_totp_request(
+    jar: CookieJar,
+    Path(id): Path<usize>,
+    Extension(data): Extension<State>,
+    Json(req): Json<DisableTotp>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    // check totp code
+    let other_user = match data.get_user_by_id(id).await {
+        Ok(u) => u,
+        Err(e) => return Json(e.into()),
+    };
+
+    if !data.check_totp(&other_user, &req.totp) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    // ...
+    match data.update_user_totp(id, &String::new(), &Vec::new()).await {
+        Ok(()) => Json(ApiReturn {
+            ok: true,
+            message: "TOTP disabled".to_string(),
+            payload: (),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
+
+/// Refresh TOTP recovery codes for a user.
+pub async fn refresh_totp_codes_request(
+    jar: CookieJar,
+    Path(id): Path<usize>,
+    Extension(data): Extension<State>,
+    Json(req): Json<DisableTotp>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match get_user_from_token!(jar, data) {
+        Some(ua) => ua,
+        None => return Json(Error::NotAllowed.into()),
+    };
+
+    if user.id != id && !user.permissions.check(FinePermission::MANAGE_USERS) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    // check totp code
+    let other_user = match data.get_user_by_id(id).await {
+        Ok(u) => u,
+        Err(e) => return Json(e.into()),
+    };
+
+    if !data.check_totp(&other_user, &req.totp) {
+        return Json(Error::NotAllowed.into());
+    }
+
+    // ...
+    let recovery_codes = DataManager::generate_totp_recovery_codes();
+    match data.update_user_totp(id, &user.totp, &recovery_codes).await {
+        Ok(()) => Json(ApiReturn {
+            ok: true,
+            message: "Recovery codes refreshed".to_string(),
+            payload: Some(recovery_codes),
+        }),
+        Err(e) => Json(e.into()),
+    }
+}
+
+/// Check if the given user has TOTP enabled.
+pub async fn has_totp_enabled_request(
+    Path(username): Path<String>,
+    Extension(data): Extension<State>,
+) -> impl IntoResponse {
+    let data = &(data.read().await).0;
+    let user = match data.get_user_by_username(&username).await {
+        Ok(u) => u,
+        Err(e) => return Json(e.into()),
+    };
+
+    Json(ApiReturn {
+        ok: true,
+        message: "User exists".to_string(),
+        payload: Some(!user.totp.is_empty()),
+    })
+}
diff --git a/crates/app/src/routes/api/v1/auth/social.rs b/crates/app/src/routes/api/v1/auth/social.rs
index fd68a3a..9d41225 100644
--- a/crates/app/src/routes/api/v1/auth/social.rs
+++ b/crates/app/src/routes/api/v1/auth/social.rs
@@ -36,7 +36,7 @@ pub async fn follow_request(
                     .create_notification(Notification::new(
                         "Somebody has followed you!".to_string(),
                         format!(
-                            "You have been followed by [@{}](/api/v1/auth/profile/find/{}).",
+                            "You have been followed by [@{}](/api/v1/auth/user/find/{}).",
                             user.username, user.id
                         ),
                         id,
diff --git a/crates/app/src/routes/api/v1/communities/images.rs b/crates/app/src/routes/api/v1/communities/images.rs
index 5759968..c2a95bf 100644
--- a/crates/app/src/routes/api/v1/communities/images.rs
+++ b/crates/app/src/routes/api/v1/communities/images.rs
@@ -57,7 +57,7 @@ pub async fn avatar_request(
 }
 
 /// Get a profile's banner image
-/// `/api/v1/auth/profile/{id}/banner`
+/// `/api/v1/auth/user/{id}/banner`
 pub async fn banner_request(
     Path(id): Path<usize>,
     Extension(data): Extension<State>,
@@ -120,9 +120,11 @@ pub async fn upload_avatar_request(
         Err(e) => return Json(e.into()),
     };
 
-    if auth_user.id != community.owner && !auth_user
+    if auth_user.id != community.owner
+        && !auth_user
             .permissions
-            .check(FinePermission::MANAGE_COMMUNITIES) {
+            .check(FinePermission::MANAGE_COMMUNITIES)
+    {
         return Json(Error::NotAllowed.into());
     }
 
@@ -173,9 +175,11 @@ pub async fn upload_banner_request(
         Err(e) => return Json(e.into()),
     };
 
-    if auth_user.id != community.owner && !auth_user
+    if auth_user.id != community.owner
+        && !auth_user
             .permissions
-            .check(FinePermission::MANAGE_COMMUNITIES) {
+            .check(FinePermission::MANAGE_COMMUNITIES)
+    {
         return Json(Error::NotAllowed.into());
     }
 
diff --git a/crates/app/src/routes/api/v1/mod.rs b/crates/app/src/routes/api/v1/mod.rs
index 70cff74..cec54c7 100644
--- a/crates/app/src/routes/api/v1/mod.rs
+++ b/crates/app/src/routes/api/v1/mod.rs
@@ -104,57 +104,58 @@ pub fn routes() -> Router {
             post(auth::images::upload_banner_request),
         )
         // profile
+        .route("/auth/user/{id}/avatar", get(auth::images::avatar_request))
+        .route("/auth/user/{id}/banner", get(auth::images::banner_request))
+        .route("/auth/user/{id}/follow", post(auth::social::follow_request))
+        .route("/auth/user/{id}/block", post(auth::social::block_request))
         .route(
-            "/auth/profile/{id}/avatar",
-            get(auth::images::avatar_request),
-        )
-        .route(
-            "/auth/profile/{id}/banner",
-            get(auth::images::banner_request),
-        )
-        .route(
-            "/auth/profile/{id}/follow",
-            post(auth::social::follow_request),
-        )
-        .route(
-            "/auth/profile/{id}/block",
-            post(auth::social::block_request),
-        )
-        .route(
-            "/auth/profile/{id}/settings",
+            "/auth/user/{id}/settings",
             post(auth::profile::update_user_settings_request),
         )
         .route(
-            "/auth/profile/{id}/role",
+            "/auth/user/{id}/role",
             post(auth::profile::update_user_role_request),
         )
         .route(
-            "/auth/profile/{id}",
+            "/auth/user/{id}",
             delete(auth::profile::delete_user_request),
         )
         .route(
-            "/auth/profile/{id}/password",
+            "/auth/user/{id}/password",
             post(auth::profile::update_user_password_request),
         )
         .route(
-            "/auth/profile/{id}/username",
+            "/auth/user/{id}/username",
             post(auth::profile::update_user_username_request),
         )
         .route(
-            "/auth/profile/{id}/tokens",
+            "/auth/user/{id}/tokens",
             post(auth::profile::update_user_tokens_request),
         )
         .route(
-            "/auth/profile/{id}/verified",
+            "/auth/user/{id}/verified",
             post(auth::profile::update_user_is_verified_request),
         )
-        .route("/auth/profile/me/seen", post(auth::profile::seen_request))
         .route(
-            "/auth/profile/find/{id}",
-            get(auth::profile::redirect_from_id),
+            "/auth/user/{id}/totp",
+            post(auth::profile::enable_totp_request),
         )
         .route(
-            "/auth/profile/find_by_ip/{ip}",
+            "/auth/user/{id}/totp",
+            delete(auth::profile::disable_totp_request),
+        )
+        .route(
+            "/auth/user/{id}/totp/codes",
+            post(auth::profile::refresh_totp_codes_request),
+        )
+        .route(
+            "/auth/user/{username}/totp/check",
+            get(auth::profile::has_totp_enabled_request),
+        )
+        .route("/auth/user/me/seen", post(auth::profile::seen_request))
+        .route("/auth/user/find/{id}", get(auth::profile::redirect_from_id))
+        .route(
+            "/auth/user/find_by_ip/{ip}",
             get(auth::profile::redirect_from_ip),
         )
         // notifications
@@ -196,6 +197,8 @@ pub fn routes() -> Router {
 pub struct LoginProps {
     pub username: String,
     pub password: String,
+    #[serde(default)]
+    pub totp: String,
 }
 
 #[derive(Deserialize)]
@@ -308,3 +311,8 @@ pub struct DeleteUser {
 pub struct CreateIpBan {
     pub reason: String,
 }
+
+#[derive(Deserialize)]
+pub struct DisableTotp {
+    pub totp: String,
+}
diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml
index 99f4219..fa7cfe0 100644
--- a/crates/core/Cargo.toml
+++ b/crates/core/Cargo.toml
@@ -16,6 +16,7 @@ toml = "0.8.20"
 tetratto-shared = { path = "../shared" }
 tetratto-l10n = { path = "../l10n" }
 serde_json = "1.0.140"
+totp-rs = { version = "5.6.0", features = ["qr", "gen_secret"] }
 
 redis = { version = "0.29.2", optional = true }
 
diff --git a/crates/core/src/database/auth.rs b/crates/core/src/database/auth.rs
index 7de1c19..1510927 100644
--- a/crates/core/src/database/auth.rs
+++ b/crates/core/src/database/auth.rs
@@ -9,6 +9,7 @@ use crate::model::{
 use crate::{auto_method, execute, get, query_row, params};
 use pathbufd::PathBufD;
 use std::fs::{exists, remove_file};
+use std::usize;
 use tetratto_shared::hash::{hash_salted, salt};
 use tetratto_shared::unix_epoch_timestamp;
 
@@ -42,6 +43,8 @@ impl DataManager {
             follower_count: get!(x->10(i32)) as usize,
             following_count: get!(x->11(i32)) as usize,
             last_seen: get!(x->12(i64)) as usize,
+            totp: get!(x->13(String)),
+            recovery_codes: serde_json::from_str(&get!(x->14(String)).to_string()).unwrap(),
         }
     }
 
@@ -111,7 +114,7 @@ impl DataManager {
 
         let res = execute!(
             &conn,
-            "INSERT INTO users VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)",
+            "INSERT INTO users VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)",
             params![
                 &(data.id as i64),
                 &(data.created as i64),
@@ -126,6 +129,8 @@ impl DataManager {
                 &(0 as i32),
                 &(0 as i32),
                 &(data.last_seen as i64),
+                &String::new(),
+                &"[]"
             ]
         );
 
@@ -414,6 +419,138 @@ impl DataManager {
         Ok(())
     }
 
+    /// Validate a given TOTP code for the given profile.
+    pub fn check_totp(&self, ua: &User, code: &str) -> bool {
+        let totp = ua.totp(Some(
+            self.0
+                .banned_hosts
+                .get(0)
+                .unwrap_or(&"https://tetratto.com".to_string())
+                .replace("http://", "")
+                .replace("https://", "")
+                .replace(":", "_"),
+        ));
+
+        if let Some(totp) = totp {
+            return !code.is_empty()
+                && (totp.check_current(code).unwrap()
+                    | ua.recovery_codes.contains(&code.to_string()));
+        }
+
+        true
+    }
+
+    /// Generate 8 random recovery codes for TOTP.
+    pub fn generate_totp_recovery_codes() -> Vec<String> {
+        let mut out: Vec<String> = Vec::new();
+
+        for _ in 0..9 {
+            out.push(salt())
+        }
+
+        out
+    }
+
+    /// Update the profile's TOTP secret.
+    ///
+    /// # Arguments
+    /// * `id` - the ID of the user
+    /// * `secret` - the TOTP secret
+    /// * `recovery` - the TOTP recovery codes
+    pub async fn update_user_totp(
+        &self,
+        id: usize,
+        secret: &str,
+        recovery: &Vec<String>,
+    ) -> Result<()> {
+        let user = self.get_user_by_id(id).await?;
+
+        // update
+        let conn = match self.connect().await {
+            Ok(c) => c,
+            Err(e) => return Err(Error::DatabaseConnection(e.to_string())),
+        };
+
+        let res = execute!(
+            &conn,
+            "UPDATE users SET totp = $1, recovery_codes = $2 WHERE id = $3",
+            params![
+                &secret,
+                &serde_json::to_string(recovery).unwrap(),
+                &(id as i64)
+            ]
+        );
+
+        if let Err(e) = res {
+            return Err(Error::DatabaseError(e.to_string()));
+        }
+
+        self.cache_clear_user(&user).await;
+        Ok(())
+    }
+
+    /// Enable TOTP for a profile.
+    ///
+    /// # Arguments
+    /// * `id` - the ID of the user to enable TOTP for
+    /// * `user` - the user doing this
+    ///
+    /// # Returns
+    /// `Result<(secret, qr base64)>`
+    pub async fn enable_totp(
+        &self,
+        id: usize,
+        user: User,
+    ) -> Result<(String, String, Vec<String>)> {
+        let other_user = self.get_user_by_id(id).await?;
+
+        if other_user.id != user.id {
+            if other_user.permissions.check(FinePermission::MANAGE_USERS) {
+                // create audit log entry
+                self.create_audit_log_entry(AuditLogEntry::new(
+                    user.id,
+                    format!("invoked `enable_totp` with x value `{}`", other_user.id,),
+                ))
+                .await?;
+            } else {
+                return Err(Error::NotAllowed);
+            }
+        }
+
+        let secret = totp_rs::Secret::default().to_string();
+        let recovery = Self::generate_totp_recovery_codes();
+        self.update_user_totp(id, &secret, &recovery).await?;
+
+        // fetch profile again (with totp information)
+        let other_user = self.get_user_by_id(id).await?;
+
+        // get totp
+        let totp = other_user.totp(Some(
+            self.0
+                .banned_hosts
+                .get(0)
+                .unwrap_or(&"https://tetratto.com".to_string())
+                .replace("http://", "")
+                .replace("https://", "")
+                .replace(":", "_"),
+        ));
+
+        if totp.is_none() {
+            return Err(Error::MiscError("Failed to get TOTP code".to_string()));
+        }
+
+        let totp = totp.unwrap();
+
+        // generate qr
+        let qr = match totp.get_qr_base64() {
+            Ok(q) => q,
+            Err(e) => return Err(Error::MiscError(e.to_string())),
+        };
+
+        // return
+        Ok((secret, qr, recovery))
+    }
+
     pub async fn cache_clear_user(&self, user: &User) {
         self.2.remove(format!("atto.user:{}", user.id)).await;
         self.2.remove(format!("atto.user:{}", user.username)).await;
diff --git a/crates/core/src/database/communities.rs b/crates/core/src/database/communities.rs
index 8f8d9cf..3b596ab 100644
--- a/crates/core/src/database/communities.rs
+++ b/crates/core/src/database/communities.rs
@@ -168,20 +168,27 @@ impl DataManager {
         }
 
         // check number of communities
-        let memberships = self.get_memberships_by_owner(data.owner).await?;
-        let mut admin_count = 0; // you can not make anymore communities if you are already admin of at least 5
+        let owner = self.get_user_by_id(data.owner).await?;
 
-        for membership in memberships {
-            if membership.role.check(CommunityPermission::ADMINISTRATOR) {
-                admin_count += 1;
+        if !owner
+            .permissions
+            .check(FinePermission::INFINITE_COMMUNITIES)
+        {
+            let memberships = self.get_memberships_by_owner(data.owner).await?;
+            let mut admin_count = 0; // you can not make anymore communities if you are already admin of at least 5
+
+            for membership in memberships {
+                if membership.role.check(CommunityPermission::ADMINISTRATOR) {
+                    admin_count += 1;
+                }
             }
-        }
 
-        if admin_count >= 5 {
-            return Err(Error::MiscError(
-                "You are already owner/co-owner of too many communities to create another"
-                    .to_string(),
-            ));
+            if admin_count >= 5 {
+                return Err(Error::MiscError(
+                    "You are already owner/co-owner of too many communities to create another"
+                        .to_string(),
+                ));
+            }
         }
 
         // make sure community doesn't already exist with title
diff --git a/crates/core/src/database/memberships.rs b/crates/core/src/database/memberships.rs
index 68b503a..265d35f 100644
--- a/crates/core/src/database/memberships.rs
+++ b/crates/core/src/database/memberships.rs
@@ -163,7 +163,7 @@ impl DataManager {
                     self.create_notification(Notification::new(
                         "You've received a community join request!".to_string(),
                         format!(
-                            "[Somebody](/api/v1/auth/profile/find/{}) is asking to join your [community](/community/{}).\n\n[Click here to review their request](/community/{}/manage?uid={}#/members).",
+                            "[Somebody](/api/v1/auth/user/find/{}) is asking to join your [community](/community/{}).\n\n[Click here to review their request](/community/{}/manage?uid={}#/members).",
                             data.owner, data.community, data.community, data.owner
                         ),
                         community.owner,
diff --git a/crates/core/src/database/posts.rs b/crates/core/src/database/posts.rs
index d9dfd92..63c6112 100644
--- a/crates/core/src/database/posts.rs
+++ b/crates/core/src/database/posts.rs
@@ -367,7 +367,7 @@ impl DataManager {
                     self.create_notification(Notification::new(
                         "You've been mentioned in a post!".to_string(),
                         format!(
-                            "[Somebody](/api/v1/auth/profile/find/{}) mentioned you in their [post](/post/{}).",
+                            "[Somebody](/api/v1/auth/user/find/{}) mentioned you in their [post](/post/{}).",
                             data.owner, data.id
                         ),
                         user.id,
@@ -380,7 +380,7 @@ impl DataManager {
 
             data.content = data.content.replace(
                 &format!("@{username}"),
-                &format!("[@{username}](/api/v1/auth/profile/find/{})", user.id),
+                &format!("[@{username}](/api/v1/auth/user/find/{})", user.id),
             );
         }
 
@@ -427,7 +427,7 @@ impl DataManager {
                 self.create_notification(Notification::new(
                     "Your post has received a new comment!".to_string(),
                     format!(
-                        "[@{}](/api/v1/auth/profile/find/{}) has commented on your [post](/post/{}).",
+                        "[@{}](/api/v1/auth/user/find/{}) has commented on your [post](/post/{}).",
                         owner.username, owner.id, rt.id
                     ),
                     rt.owner,
diff --git a/crates/core/src/database/reactions.rs b/crates/core/src/database/reactions.rs
index 3ee489a..7c82e39 100644
--- a/crates/core/src/database/reactions.rs
+++ b/crates/core/src/database/reactions.rs
@@ -107,7 +107,7 @@ impl DataManager {
                             .create_notification(Notification::new(
                                 "Your community has received a like!".to_string(),
                                 format!(
-                                    "[@{}](/api/v1/auth/profile/find/{}) has liked your [community](/api/v1/communities/find/{})!",
+                                    "[@{}](/api/v1/auth/user/find/{}) has liked your [community](/api/v1/communities/find/{})!",
                                     user.username, user.id, community.id
                                 ),
                                 community.owner,
@@ -136,7 +136,7 @@ impl DataManager {
                             .create_notification(Notification::new(
                                 "Your post has received a like!".to_string(),
                                 format!(
-                                    "[@{}](/api/v1/auth/profile/find/{}) has liked your post!",
+                                    "[@{}](/api/v1/auth/user/find/{}) has liked your post!",
                                     user.username, user.id
                                 ),
                                 post.owner,
diff --git a/crates/core/src/model/auth.rs b/crates/core/src/model/auth.rs
index 1a3b818..061f9cb 100644
--- a/crates/core/src/model/auth.rs
+++ b/crates/core/src/model/auth.rs
@@ -1,5 +1,6 @@
 use super::permissions::FinePermission;
 use serde::{Deserialize, Serialize};
+use totp_rs::TOTP;
 use tetratto_shared::{
     hash::{hash_salted, salt},
     snow::AlmostSnowflake,
@@ -24,6 +25,12 @@ pub struct User {
     pub follower_count: usize,
     pub following_count: usize,
     pub last_seen: usize,
+    /// The TOTP secret for this profile. An empty value means the user has TOTP disabled.
+    #[serde(default)]
+    pub totp: String,
+    /// The TOTP recovery codes for this profile.
+    #[serde(default)]
+    pub recovery_codes: Vec<String>,
 }
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
@@ -100,6 +107,8 @@ impl User {
             follower_count: 0,
             following_count: 0,
             last_seen: unix_epoch_timestamp() as usize,
+            totp: String::new(),
+            recovery_codes: Vec::new(),
         }
     }
 
@@ -184,6 +193,26 @@ impl User {
         // return
         out
     }
+
+    /// Get a [`TOTP`] from the profile's `totp` secret value.
+    pub fn totp(&self, issuer: Option<String>) -> Option<TOTP> {
+        if self.totp.is_empty() {
+            return None;
+        }
+
+        match TOTP::new(
+            totp_rs::Algorithm::SHA1,
+            6,
+            1,
+            30,
+            self.totp.as_bytes().to_owned(),
+            Some(issuer.unwrap_or("tetratto!".to_string())),
+            self.username.clone(),
+        ) {
+            Ok(t) => Some(t),
+            Err(_) => None,
+        }
+    }
 }
 
 #[derive(Debug, Serialize, Deserialize)]
diff --git a/crates/core/src/model/permissions.rs b/crates/core/src/model/permissions.rs
index cfa315f..db4a1e5 100644
--- a/crates/core/src/model/permissions.rs
+++ b/crates/core/src/model/permissions.rs
@@ -26,6 +26,7 @@ bitflags! {
         const MANAGE_AUDITLOG = 1 << 15;
         const MANAGE_REPORTS = 1 << 16;
         const BANNED = 1 << 17;
+        const INFINITE_COMMUNITIES = 1 << 18;
 
         const _ = !0;
     }
diff --git a/crates/shared/Cargo.toml b/crates/shared/Cargo.toml
index bdab8a3..94bb5cd 100644
--- a/crates/shared/Cargo.toml
+++ b/crates/shared/Cargo.toml
@@ -9,7 +9,7 @@ license.workspace = true
 [dependencies]
 ammonia = "4.0.0"
 chrono = "0.4.40"
-comrak = "0.36.0"
+comrak = "0.37.0"
 hex_fmt = "0.3.0"
 num-bigint = "0.4.6"
 rand = "0.9.0"
diff --git a/sql_upgrades/totp.sql b/sql_upgrades/totp.sql
new file mode 100644
index 0000000..694fe78
--- /dev/null
+++ b/sql_upgrades/totp.sql
@@ -0,0 +1,5 @@
+ALTER TABLE users
+ADD COLUMN totp TEXT DEFAULT '';
+
+ALTER TABLE users
+ADD COLUMN recovery_codes TEXT DEFAULT '[]';