2FAuth icon indicating copy to clipboard operation
2FAuth copied to clipboard
verified publisher icon Bubka

Shared accounts

Open easis opened this issue 6 months ago • 1 comments

DISCLAIMER: This was totally vibe-coded (even this PR) but reviewed by me.

Implement shared accounts functionality

Fixes #289

What this adds

Complete shared accounts system that allows users to share their 2FA accounts with other users while maintaining proper ownership and permissions.

Features

Core functionality

  • Account sharing: Users can mark their accounts as shared, making them visible to other users
  • Ownership-based permissions: Only account creators can edit, delete, or manage their accounts (even when shared)
  • Read-only access: Other users can view and copy OTP codes from shared accounts but cannot modify them

Frontend improvements

  • Visual indicators: Shared accounts show a share icon, read-only accounts are grayed out with dashed borders
  • Smart management mode: Controls (checkboxes, edit buttons, drag handles) only appear for accounts you own
  • Filtered selection: "Select All" only selects accounts you can actually edit
  • Proper click handling: Clicking read-only accounts does nothing instead of causing errors

Changes

Backend

  • Added is_shared field to accounts model and migration
  • Implemented authorization policies to enforce ownership rules
  • Added user_id to API responses for frontend ownership checks
  • Updated resources to include sharing information

Frontend

  • canEditAccount() function to check ownership permissions
  • Conditional rendering of management controls based on ownership
  • Visual styling for read-only accounts (is-read-only CSS class)
  • Updated selectAll() to respect ownership rules
  • Share indicators in account listings

Tests

  • Comprehensive policy tests for shared account authorization
  • Frontend behavior tests for read-only interactions
  • API response validation tests
  • 21/21 tests passing

How it works

Your own accounts: Full control - edit, delete, reorder, select, and optionally share with others

Shared accounts from others: View-only access - can see account details and copy OTP codes, but cannot modify or select in management mode

Private accounts from others: Not visible at all

Security

All sharing permissions are enforced at the backend level with Laravel policies. Frontend changes are purely for UX - unauthorized requests still return proper 403 responses.

easis avatar Jun 23 '25 12:06 easis

Hi, I was planning to release v6 without major changes but only the on-going front-end refactor, your PR will probably change my plans. However, I need to take a closer look at it, as it will require some adjustments, especially at the UX level. That said, it seems to be a solid foundation for the global sharing option. Thx 😃

Bubka avatar Jun 30 '25 09:06 Bubka