Add docs for MFA totp

[jnfrati]

configuration files updates:

Enable MFA for local users

Summary by CodeRabbit

• Documentation
  • Added a new documentation page for enabling multi-factor authentication (MFA) for local users in self-hosted deployments, including setup steps and configuration guidance.
  • Added documentation for MFA session timeout configuration options (mfaSessionMaxLifetime and mfaSessionIdleTimeout).
  • Updated documentation navigation to include the new MFA setup guide.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds complete documentation for the new Local MFA (TOTP-based) authentication feature in self-hosted NetBird. It introduces a new documentation page explaining how to enable and configure local MFA, adds configuration field documentation, and updates the navigation structure to link to the new guidance.

Changes

Local MFA Documentation

Layer / File(s)	Summary
Local MFA feature documentation page src/pages/selfhosted/identity-providers/enable-local-mfa.mdx	New MDX page covering prerequisites, dashboard UI steps for enabling local MFA, user experience on first and subsequent logins (with embedded images), MFA session lifetime configuration for both combined and multi-container deployments, and disabling instructions with warnings about retained authenticator data.
MFA session configuration documentation src/pages/selfhosted/configuration-files.mdx	Added config.yaml documentation for two new MFA session fields: server.auth.mfaSessionMaxLifetime (default "24h") and server.auth.mfaSessionIdleTimeout (default "1h"), both applicable when local MFA is enabled.
Navigation link and structure src/components/NavigationDocs.jsx	Added "Enable MFA for local users" navigation link under Self-Host → Authentication → Local Users section, with file formatting adjustment at component closure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hop through MFA mystique
Two-factor paths, authentication sleek
Local users now can verify
With TOTP codes to rely
Security blooms, docs complete and neat! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add docs for MFA totp' accurately describes the primary change—adding documentation for MFA TOTP functionality across three files including a new comprehensive guide page.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/mfa-local-totp-docs

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

src/components/NavigationDocs.jsx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

src/pages/selfhosted/configuration-files.mdx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

src/pages/selfhosted/identity-providers/enable-local-mfa.mdx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pages/selfhosted/identity-providers/enable-local-mfa.mdx`:
- Line 9: Update the opening behavior sentence to match the "MFA session"
section: change the claim that TOTP is required "on every login" to state that
TOTP is required for each authentication unless an active MFA session is present
(referencing the "MFA session" section describing session-based skipping);
ensure the text makes clear the first login or any authentication after session
expiry always requires TOTP while active sessions allow skipping MFA until they
expire.
- Around line 114-115: The warning sentence "Disable MFA removes the TOTP
requirement but **does not** remove the stored TOTP authenticator information.
If you enable MFA again previously enrolled users will be prompted for the same
authenticator they registered previously." is awkward and should be replaced
with a clearer, grammatically correct phrasing; update the text in
src/pages/selfhosted/identity-providers/enable-local-mfa.mdx to something like:
"Disabling MFA removes the TOTP requirement but does not delete stored TOTP
authenticator data; if you re-enable MFA, previously enrolled users will be
prompted to use the same authenticator they registered earlier." Ensure the new
sentence preserves the original security warning and punctuation for clarity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a23a340-e378-4435-b2f8-6b9541b4c4a5

📥 Commits

Reviewing files that changed from the base of the PR and between f3ee9f9 and 63d5aa6.

⛔ Files ignored due to path filters (2)

• public/docs-static/img/selfhosted/identity-providers/local-mfa/totp-setup.png is excluded by !**/*.png
• public/docs-static/img/selfhosted/identity-providers/local-mfa/totp-verify.png is excluded by !**/*.png

📒 Files selected for processing (3)

• src/components/NavigationDocs.jsx
• src/pages/selfhosted/configuration-files.mdx
• src/pages/selfhosted/identity-providers/enable-local-mfa.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Behavior statement conflicts with MFA session semantics.

Line 9 says users must enter TOTP on every login, but the MFA session section (Lines 58-62) says users can skip MFA while the session is active. Please align this wording to avoid misleading operators.

Suggested wording

-This is useful when you want to add an extra layer of security to local users, as it will require **all** local users to authenticate using the TOTP code on every login.
+This is useful when you want to add an extra layer of security to local users, as it requires **all** local users to complete TOTP during sign-in whenever their MFA session is not active.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	This is useful when you want to add an extra layer of security to local users, as it will require **all** local users to authenticate using the TOTP code on every login.
	This is useful when you want to add an extra layer of security to local users, as it requires **all** local users to complete TOTP during sign-in whenever their MFA session is not active.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/selfhosted/identity-providers/enable-local-mfa.mdx` at line 9,
Update the opening behavior sentence to match the "MFA session" section: change
the claim that TOTP is required "on every login" to state that TOTP is required
for each authentication unless an active MFA session is present (referencing the
"MFA session" section describing session-based skipping); ensure the text makes
clear the first login or any authentication after session expiry always requires
TOTP while active sessions allow skipping MFA until they expire.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify the warning sentence grammar.

The warning text is grammatically off and harder to parse in a security-sensitive section.

Suggested wording

-Disable MFA removes the TOTP requirement but **does not** remove the stored TOTP authenticator information. If you enable MFA again 
-previously enrolled users will be prompted for the same authenticator they registered previously. 
+Disabling MFA removes the TOTP requirement but **does not** remove stored authenticator enrollment data. If you enable MFA again, previously enrolled users will be prompted to use the same authenticator.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Disable MFA removes the TOTP requirement but **does not** remove the stored TOTP authenticator information. If you enable MFA again
	previously enrolled users will be prompted for the same authenticator they registered previously.
	Disabling MFA removes the TOTP requirement but **does not** remove stored authenticator enrollment data. If you enable MFA again, previously enrolled users will be prompted to use the same authenticator.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/selfhosted/identity-providers/enable-local-mfa.mdx` around lines
114 - 115, The warning sentence "Disable MFA removes the TOTP requirement but
**does not** remove the stored TOTP authenticator information. If you enable MFA
again previously enrolled users will be prompted for the same authenticator they
registered previously." is awkward and should be replaced with a clearer,
grammatically correct phrasing; update the text in
src/pages/selfhosted/identity-providers/enable-local-mfa.mdx to something like:
"Disabling MFA removes the TOTP requirement but does not delete stored TOTP
authenticator data; if you re-enable MFA, previously enrolled users will be
prompted to use the same authenticator they registered earlier." Ensure the new
sentence preserves the original security warning and punctuation for clarity.