feat(auth): admin-issued café recovery key login

Platform admins can generate a permanent recovery key per café (admin panel → Cafés). The café Owner uses it to sign in when OTP access is lost; once authenticated, all server-side data syncs as normal (data is per-café on the server, the device only caches it). Backend: - Cafe.RecoveryKeyHash (SHA-256, unique index) + RecoveryKeyCreatedAt; migration - RecoveryKeyGenerator util: MZ-XXXXX-XXXXX-XXXXX-XXXXX, ~190-bit entropy, stored as SHA-256 (API-token pattern — raw key shown once, never retrievable) - Admin: POST/DELETE /api/admin/cafes/{id}/recovery-key (key returned once); café list now reports HasRecoveryKey + RecoveryKeyCreatedAt - Login: POST /api/auth/login-key → exact-hash lookup → resolves café Owner → issues normal JWT; rate-limited (auth-otp), suspended/no-owner guarded, logged Admin UI: per-café generate / regenerate / revoke with one-time reveal + copy. Dashboard login: discreet "ورود با کلید بازیابی" link → key field. fa/en/ar. 86 tests pass; all tsc clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 15:10:11 +03:30
parent 76d4434581
commit a855cf1d80
19 changed files with 3871 additions and 10 deletions
@@ -61,6 +61,11 @@
    "password": "كلمة المرور",
    "passwordPlaceholder": "كلمة المرور",
    "invalidCredentials": "اسم المستخدم أو كلمة المرور غير صحيحة.",
+    "invalidKey": "مفتاح الاستعادة غير صالح.",
+    "recoveryKey": "مفتاح الاستعادة",
+    "keyHint": "أدخل مفتاح الاستعادة الذي حصلت عليه من دعم ميزي.",
+    "useRecoveryKey": "فقدت الوصول؟ سجّل الدخول بمفتاح الاستعادة",
+    "backToNormalLogin": "العودة إلى تسجيل الدخول العادي",
    "kojaSlug": "عنوان الملف الشخصي في كوجا",
    "kojaSlugHint": "يجد الزوار مقهاكم على هذا العنوان",
    "kojaSlugPlaceholder": "مثال: my-cafe"