steam 2fa for polling and security

cmd/api/main.go

@@ -17,7 +17,6 @@ import (
 
 func main() {
 	configs.Init()
-	jwt.Init()
 	// Initialize new logging system
 	if err := logging.InitializeLogging(); err != nil {
 		fmt.Printf("Failed to initialize logging system: %v\n", err)
@@ -37,6 +36,8 @@ func main() {
 	logging.InfoStartup("APPLICATION", "ACC Server Manager starting up")
 
 	di := dig.New()
+	di.Provide(func() *jwt.JWTHandler { return jwt.NewJWTHandler(os.Getenv("JWT_SECRET")) })
+	di.Provide(func() *jwt.OpenJWTHandler { return jwt.NewOpenJWTHandler(os.Getenv("JWT_SECRET_OPEN")) })
 	cache.Start(di)
 	db.Start(di)
 	server.Start(di)

docs/STEAM_2FA_IMPLEMENTATION.md

@@ -0,0 +1,243 @@
+# Steam 2FA Implementation Documentation
+
+## Overview
+
+This document describes the implementation of Steam Two-Factor Authentication (2FA) support for the ACC Server Manager. When SteamCMD requires 2FA confirmation during server installation or updates, the system now signals the frontend and waits for user confirmation before proceeding.
+
+## Architecture
+
+The 2FA implementation consists of several interconnected components:
+
+### Backend Components
+
+1. **Steam2FAManager** (`local/model/steam_2fa.go`)
+   - Thread-safe management of 2FA requests
+   - Request lifecycle tracking (pending → complete/error)
+   - Channel-based waiting mechanism for synchronization
+
+2. **InteractiveCommandExecutor** (`local/utl/command/interactive_executor.go`)
+   - Monitors SteamCMD output for 2FA prompts
+   - Creates 2FA requests when prompts are detected
+   - Waits for user confirmation before proceeding
+
+3. **Steam2FAController** (`local/controller/steam_2fa.go`)
+   - REST API endpoints for 2FA management
+   - Handles frontend requests to complete/cancel 2FA
+
+4. **Updated SteamService** (`local/service/steam_service.go`)
+   - Uses InteractiveCommandExecutor for SteamCMD operations
+   - Passes server context to 2FA requests
+
+### Frontend Components
+
+1. **Steam2FA Store** (`src/stores/steam2fa.ts`)
+   - Svelte store for managing 2FA state
+   - Automatic polling for pending requests
+   - API communication methods
+
+2. **Steam2FANotification Component** (`src/components/Steam2FANotification.svelte`)
+   - Modal UI for 2FA confirmation
+   - Automatic display when requests are pending
+   - User interaction handling
+
+3. **Type Definitions** (`src/models/steam2fa.ts`)
+   - TypeScript interfaces for 2FA data structures
+
+## API Endpoints
+
+### GET /v1/steam2fa/pending
+Returns all pending 2FA requests.
+
+**Response:**
+```json
+[
+  {
+    "id": "uuid-string",
+    "status": "pending",
+    "message": "Steam Guard prompt message",
+    "requestTime": "2024-01-01T12:00:00Z",
+    "serverId": "server-uuid"
+  }
+]
+```
+
+### GET /v1/steam2fa/{id}
+Returns a specific 2FA request by ID.
+
+### POST /v1/steam2fa/{id}/complete
+Marks a 2FA request as completed, allowing SteamCMD to proceed.
+
+### POST /v1/steam2fa/{id}/cancel
+Cancels a 2FA request, causing the SteamCMD operation to fail.
+
+## Flow Diagram
+
+```
+SteamCMD Operation
+        ↓
+InteractiveCommandExecutor monitors output
+        ↓
+2FA prompt detected
+        ↓
+Steam2FARequest created
+        ↓
+Frontend polls and detects request
+        ↓
+Modal appears for user
+        ↓
+User confirms in Steam Mobile App
+        ↓
+User clicks "I've Confirmed"
+        ↓
+API call to complete request
+        ↓
+SteamCMD operation continues
+```
+
+## Configuration
+
+### Backend Configuration
+
+The system uses existing configuration patterns. No additional environment variables are required.
+
+### Frontend Configuration
+
+The API base URL is automatically configured as `/v1` to match the backend prefix.
+
+Polling interval is set to 5 seconds by default and can be modified in `steam2fa.ts`:
+
+```typescript
+const POLLING_INTERVAL = 5000; // milliseconds
+```
+
+## Security Considerations
+
+1. **Authentication Required**: All 2FA endpoints require user authentication
+2. **Permission-Based Access**: Uses existing `ServerView` and `ServerUpdate` permissions
+3. **Request Cleanup**: Automatic cleanup of old requests (30 minutes) prevents memory leaks
+4. **No Sensitive Data**: No Steam credentials are exposed through the 2FA system
+
+## Error Handling
+
+### Backend Error Handling
+- Timeouts after 5 minutes if no user response
+- Proper error propagation to calling services
+- Comprehensive logging for debugging
+
+### Frontend Error Handling
+- Network error handling with user feedback
+- Automatic retry mechanisms
+- Graceful degradation when API is unavailable
+
+## Usage Instructions
+
+### For Developers
+
+1. **Adding New 2FA Prompts**: Extend the `is2FAPrompt` function in `interactive_executor.go`
+2. **Customizing Timeouts**: Modify the timeout duration in `handle2FAPrompt`
+3. **UI Customization**: Modify the `Steam2FANotification.svelte` component
+
+### For Users
+
+1. When creating or updating a server, watch for the 2FA notification
+2. Check your Steam Mobile App when prompted
+3. Confirm the login request in the Steam app
+4. Click "I've Confirmed" in the web interface
+5. The server operation will continue automatically
+
+## Monitoring and Debugging
+
+### Backend Logs
+The system logs important events:
+- 2FA prompt detection
+- Request creation and completion
+- Timeout events
+- Error conditions
+
+Search for log entries containing:
+- `2FA prompt detected`
+- `Created 2FA request`
+- `2FA completed successfully`
+- `2FA completion failed`
+
+### Frontend Debugging
+The Steam2FA store provides debugging information:
+- `$steam2fa.error` - Current error state
+- `$steam2fa.isLoading` - Loading state
+- `$steam2fa.lastChecked` - Last polling timestamp
+
+## Performance Considerations
+
+1. **Polling Frequency**: 5-second polling provides good responsiveness without excessive load
+2. **Request Cleanup**: Automatic cleanup prevents memory accumulation
+3. **Efficient UI Updates**: Reactive Svelte stores minimize unnecessary re-renders
+
+## Limitations
+
+1. **Single User Sessions**: Currently designed for single-user scenarios
+2. **Steam Mobile App Required**: Users must have Steam Mobile App installed
+3. **Manual Confirmation**: No automatic 2FA code input support
+
+## Future Enhancements
+
+1. **WebSocket Support**: Real-time communication instead of polling
+2. **Multiple User Support**: Handle multiple simultaneous 2FA requests
+3. **Enhanced Prompt Detection**: More sophisticated Steam output parsing
+4. **Notification System**: Browser notifications for 2FA requests
+
+## Testing
+
+### Manual Testing
+1. Create a new server to trigger SteamCMD
+2. Ensure Steam account has 2FA enabled
+3. Verify modal appears when 2FA is required
+4. Test both "confirm" and "cancel" workflows
+
+### Automated Testing
+The system includes comprehensive error handling but manual testing is recommended for 2FA workflows due to the interactive nature.
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Modal doesn't appear**
+   - Check browser console for errors
+   - Verify API connectivity
+   - Ensure user has proper permissions
+
+2. **SteamCMD hangs**
+   - Check if 2FA request was created (backend logs)
+   - Verify Steam Mobile App connectivity
+   - Check for timeout errors
+
+3. **API errors**
+   - Verify user authentication
+   - Check server permissions
+   - Review backend error logs
+
+### Debug Commands
+
+```bash
+# Check backend logs for 2FA events
+grep -i "2fa" logs/app.log
+
+# Monitor API requests
+tail -f logs/app.log | grep "steam2fa"
+```
+
+## Version History
+
+- **v1.0.0**: Initial implementation with polling-based frontend and REST API
+- Added comprehensive error handling and logging
+- Implemented automatic request cleanup
+- Added responsive UI components
+
+## Contributing
+
+When contributing to the 2FA system:
+
+1. Follow existing error handling patterns
+2. Add comprehensive logging for new features
+3. Update this documentation for any API changes
+4. Test with actual Steam 2FA scenarios
+5. Consider security implications of any changes

local/api/api.go

@@ -31,6 +31,7 @@ func Init(di *dig.Container, app *fiber.App) {
 		StateHistory: serverIdGroup.Group("/state-history"),
 		Membership:   groups.Group("/membership"),
 		System:       groups.Group("/system"),
+		Steam2FA:     groups.Group("/steam2fa"),
 	}
 
 	accessKeyMiddleware := middleware.NewAccessKeyMiddleware()

local/controller/controller.go

@@ -54,4 +54,9 @@ func InitializeControllers(c *dig.Container) {
 	if err != nil {
 		logging.Panic("unable to initialize membership controller")
 	}
+
+	err = c.Invoke(NewSteam2FAController)
+	if err != nil {
+		logging.Panic("unable to initialize steam 2fa controller")
+	}
 }

local/controller/membership.go

@@ -34,6 +34,7 @@ func NewMembershipController(service *service.MembershipService, auth *middlewar
 	}
 
 	routeGroups.Auth.Post("/login", mc.Login)
+	routeGroups.Auth.Post("/open-token", mc.GenerateOpenToken)
 
 	usersGroup := routeGroups.Membership
 	usersGroup.Use(mc.auth.Authenticate)
@@ -82,6 +83,26 @@ func (c *MembershipController) Login(ctx *fiber.Ctx) error {
 	return ctx.JSON(fiber.Map{"token": token})
 }
 
+// GenerateOpenToken generates an open token for a user.
+// @Summary Generate an open token
+// @Description Generate an open token for a user
+// @Tags Authentication
+// @Accept json
+// @Produce json
+// @Success 200 {object} object{token=string} "JWT token"
+// @Failure 400 {object} error_handler.ErrorResponse "Invalid request body"
+// @Failure 401 {object} error_handler.ErrorResponse "Invalid credentials"
+// @Failure 500 {object} error_handler.ErrorResponse "Internal server error"
+// @Router /auth/open-token [post]
+func (c *MembershipController) GenerateOpenToken(ctx *fiber.Ctx) error {
+	token, err := c.service.GenerateOpenToken(ctx.UserContext(), ctx.Locals("userId").(string))
+	if err != nil {
+		return c.errorHandler.HandleAuthError(ctx, err)
+	}
+
+	return ctx.JSON(fiber.Map{"token": token})
+}
+
 // CreateUser creates a new user.
 // @Summary Create a new user
 // @Description Create a new user account with specified role

local/controller/steam_2fa.go

@@ -0,0 +1,139 @@
+package controller
+
+import (
+	"acc-server-manager/local/middleware"
+	"acc-server-manager/local/model"
+	"acc-server-manager/local/utl/common"
+	"acc-server-manager/local/utl/error_handler"
+	"acc-server-manager/local/utl/jwt"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+type Steam2FAController struct {
+	tfaManager   *model.Steam2FAManager
+	errorHandler *error_handler.ControllerErrorHandler
+	jwtHandler   *jwt.OpenJWTHandler
+}
+
+func NewSteam2FAController(tfaManager *model.Steam2FAManager, routeGroups *common.RouteGroups, auth *middleware.AuthMiddleware, jwtHandler *jwt.OpenJWTHandler) *Steam2FAController {
+	controller := &Steam2FAController{
+		tfaManager:   tfaManager,
+		errorHandler: error_handler.NewControllerErrorHandler(),
+		jwtHandler:   jwtHandler,
+	}
+
+	steam2faRoutes := routeGroups.Steam2FA
+	steam2faRoutes.Use(auth.AuthenticateOpen)
+
+	// Define routes
+	steam2faRoutes.Get("/pending", auth.HasPermission(model.ServerView), controller.GetPendingRequests)
+	steam2faRoutes.Get("/:id", auth.HasPermission(model.ServerView), controller.GetRequest)
+	steam2faRoutes.Post("/:id/complete", auth.HasPermission(model.ServerUpdate), controller.CompleteRequest)
+	steam2faRoutes.Post("/:id/cancel", auth.HasPermission(model.ServerUpdate), controller.CancelRequest)
+
+	return controller
+}
+
+// GetPendingRequests gets all pending 2FA requests
+//
+//	@Summary		Get pending 2FA requests
+//	@Description	Get all pending Steam 2FA authentication requests
+//	@Tags			Steam 2FA
+//	@Accept			json
+//	@Produce		json
+//	@Success		200	{array}		model.Steam2FARequest
+//	@Failure		500	{object}	error_handler.ErrorResponse
+//	@Router			/steam2fa/pending [get]
+func (c *Steam2FAController) GetPendingRequests(ctx *fiber.Ctx) error {
+	requests := c.tfaManager.GetPendingRequests()
+	return ctx.JSON(requests)
+}
+
+// GetRequest gets a specific 2FA request by ID
+//
+//	@Summary		Get 2FA request
+//	@Description	Get a specific Steam 2FA authentication request by ID
+//	@Tags			Steam 2FA
+//	@Accept			json
+//	@Produce		json
+//	@Param			id	path		string	true	"2FA Request ID"
+//	@Success		200	{object}	model.Steam2FARequest
+//	@Failure		404	{object}	error_handler.ErrorResponse
+//	@Failure		500	{object}	error_handler.ErrorResponse
+//	@Router			/steam2fa/{id} [get]
+func (c *Steam2FAController) GetRequest(ctx *fiber.Ctx) error {
+	id := ctx.Params("id")
+	if id == "" {
+		return c.errorHandler.HandleError(ctx, fiber.ErrBadRequest, fiber.StatusBadRequest)
+	}
+
+	request, exists := c.tfaManager.GetRequest(id)
+	if !exists {
+		return c.errorHandler.HandleNotFoundError(ctx, "2FA request")
+	}
+
+	return ctx.JSON(request)
+}
+
+// CompleteRequest marks a 2FA request as completed
+//
+//	@Summary		Complete 2FA request
+//	@Description	Mark a Steam 2FA authentication request as completed
+//	@Tags			Steam 2FA
+//	@Accept			json
+//	@Produce		json
+//	@Param			id	path		string	true	"2FA Request ID"
+//	@Success		200	{object}	model.Steam2FARequest
+//	@Failure		400	{object}	error_handler.ErrorResponse
+//	@Failure		404	{object}	error_handler.ErrorResponse
+//	@Failure		500	{object}	error_handler.ErrorResponse
+//	@Router			/steam2fa/{id}/complete [post]
+func (c *Steam2FAController) CompleteRequest(ctx *fiber.Ctx) error {
+	id := ctx.Params("id")
+	if id == "" {
+		return c.errorHandler.HandleError(ctx, fiber.ErrBadRequest, fiber.StatusBadRequest)
+	}
+
+	if err := c.tfaManager.CompleteRequest(id); err != nil {
+		return c.errorHandler.HandleError(ctx, err, fiber.StatusBadRequest)
+	}
+
+	request, exists := c.tfaManager.GetRequest(id)
+	if !exists {
+		return c.errorHandler.HandleNotFoundError(ctx, "2FA request")
+	}
+
+	return ctx.JSON(request)
+}
+
+// CancelRequest cancels a 2FA request
+//
+//	@Summary		Cancel 2FA request
+//	@Description	Cancel a Steam 2FA authentication request
+//	@Tags			Steam 2FA
+//	@Accept			json
+//	@Produce		json
+//	@Param			id	path		string	true	"2FA Request ID"
+//	@Success		200	{object}	model.Steam2FARequest
+//	@Failure		400	{object}	error_handler.ErrorResponse
+//	@Failure		404	{object}	error_handler.ErrorResponse
+//	@Failure		500	{object}	error_handler.ErrorResponse
+//	@Router			/steam2fa/{id}/cancel [post]
+func (c *Steam2FAController) CancelRequest(ctx *fiber.Ctx) error {
+	id := ctx.Params("id")
+	if id == "" {
+		return c.errorHandler.HandleError(ctx, fiber.ErrBadRequest, fiber.StatusBadRequest)
+	}
+
+	if err := c.tfaManager.ErrorRequest(id, "cancelled by user"); err != nil {
+		return c.errorHandler.HandleError(ctx, err, fiber.StatusBadRequest)
+	}
+
+	request, exists := c.tfaManager.GetRequest(id)
+	if !exists {
+		return c.errorHandler.HandleNotFoundError(ctx, "2FA request")
+	}
+
+	return ctx.JSON(request)
+}

local/middleware/auth.go

@@ -30,14 +30,18 @@ type AuthMiddleware struct {
 	membershipService *service.MembershipService
 	cache             *cache.InMemoryCache
 	securityMW        *security.SecurityMiddleware
+	jwtHandler        *jwt.JWTHandler
+	openJWTHandler    *jwt.OpenJWTHandler
 }
 
 // NewAuthMiddleware creates a new AuthMiddleware.
-func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache) *AuthMiddleware {
+func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache, jwtHandler *jwt.JWTHandler, openJWTHandler *jwt.OpenJWTHandler) *AuthMiddleware {
 	auth := &AuthMiddleware{
 		membershipService: ms,
 		cache:             cache,
 		securityMW:        security.NewSecurityMiddleware(),
+		jwtHandler:        jwtHandler,
+		openJWTHandler:    openJWTHandler,
 	}
 
 	// Set up bidirectional relationship for cache invalidation
@@ -46,8 +50,17 @@ func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache
 	return auth
 }
 
+// Authenticate is a middleware for JWT authentication with enhanced security.
+func (m *AuthMiddleware) AuthenticateOpen(ctx *fiber.Ctx) error {
+	return m.AuthenticateWithHandler(m.openJWTHandler.JWTHandler, ctx)
+}
+
 // Authenticate is a middleware for JWT authentication with enhanced security.
 func (m *AuthMiddleware) Authenticate(ctx *fiber.Ctx) error {
+	return m.AuthenticateWithHandler(m.jwtHandler, ctx)
+}
+
+func (m *AuthMiddleware) AuthenticateWithHandler(jwtHandler *jwt.JWTHandler, ctx *fiber.Ctx) error {
 	// Log authentication attempt
 	ip := ctx.IP()
 	userAgent := ctx.Get("User-Agent")
@@ -77,7 +90,7 @@ func (m *AuthMiddleware) Authenticate(ctx *fiber.Ctx) error {
 		})
 	}
 
-	claims, err := jwt.ValidateToken(token)
+	claims, err := jwtHandler.ValidateToken(token)
 	if err != nil {
 		logging.Error("Authentication failed: invalid token from IP %s, User-Agent: %s, Error: %v", ip, userAgent, err)
 		return ctx.Status(fiber.StatusUnauthorized).JSON(fiber.Map{

local/middleware/security/security.go

@@ -1,6 +1,7 @@
 package security
 
 import (
+	"acc-server-manager/local/utl/graceful"
 	"context"
 	"fmt"
 	"strings"
@@ -22,22 +23,28 @@ func NewRateLimiter() *RateLimiter {
 		requests: make(map[string][]time.Time),
 	}
 
-	// Clean up old entries every 5 minutes
-	go rl.cleanup()
+	// Use graceful shutdown for cleanup goroutine
+	shutdownManager := graceful.GetManager()
+	shutdownManager.RunGoroutine(func(ctx context.Context) {
+		rl.cleanupWithContext(ctx)
+	})
 
 	return rl
 }
 
 // cleanup removes old entries from the rate limiter
-func (rl *RateLimiter) cleanup() {
+func (rl *RateLimiter) cleanupWithContext(ctx context.Context) {
 	ticker := time.NewTicker(5 * time.Minute)
 	defer ticker.Stop()
 
-	for range ticker.C {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
 			rl.mutex.Lock()
 			now := time.Now()
 			for key, times := range rl.requests {
-			// Remove entries older than 1 hour
 				filtered := make([]time.Time, 0, len(times))
 				for _, t := range times {
 					if now.Sub(t) < time.Hour {
@@ -52,6 +59,7 @@ func (rl *RateLimiter) cleanup() {
 			}
 			rl.mutex.Unlock()
 		}
+	}
 }
 
 // SecurityMiddleware provides comprehensive security middleware
@@ -189,13 +197,13 @@ func (sm *SecurityMiddleware) InputSanitization() fiber.Handler {
 
 // sanitizeInput removes potentially dangerous patterns from input
 func sanitizeInput(input string) string {
-	// Remove common XSS patterns
 	dangerous := []string{
 		"<script",
 		"</script>",
 		"javascript:",
 		"vbscript:",
 		"data:text/html",
+		"data:application",
 		"onload=",
 		"onerror=",
 		"onclick=",
@@ -204,25 +212,46 @@ func sanitizeInput(input string) string {
 		"onblur=",
 		"onchange=",
 		"onsubmit=",
+		"onkeydown=",
+		"onkeyup=",
 		"<iframe",
 		"<object",
 		"<embed",
 		"<link",
 		"<meta",
 		"<style",
+		"<form",
+		"<input",
+		"<button",
+		"<svg",
+		"<math",
+		"expression(",
+		"@import",
+		"url(",
+		"\\x",
+		"\\u",
+		"&#x",
+		"&#",
 	}
 
-	result := strings.ToLower(input)
+	result := input
+	lowerInput := strings.ToLower(input)
+	
 	for _, pattern := range dangerous {
-		result = strings.ReplaceAll(result, pattern, "")
+		if strings.Contains(lowerInput, pattern) {
+			return ""
+		}
 	}
 
-	// If the sanitized version is very different, it might be malicious
-	if len(result) < len(input)/2 {
+	if strings.Contains(result, "\x00") {
 		return ""
 	}
 
-	return input
+	if len(strings.TrimSpace(result)) == 0 && len(input) > 0 {
+		return ""
+	}
+
+	return result
 }
 
 // ValidateContentType ensures only expected content types are accepted
@@ -349,3 +378,24 @@ func (sm *SecurityMiddleware) TimeoutMiddleware(timeout time.Duration) fiber.Han
 		return c.Next()
 	}
 }
+
+func (sm *SecurityMiddleware) RequestContextTimeout(timeout time.Duration) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		ctx, cancel := context.WithTimeout(c.UserContext(), timeout)
+		defer cancel()
+
+		done := make(chan error, 1)
+		go func() {
+			done <- c.Next()
+		}()
+
+		select {
+		case err := <-done:
+			return err
+		case <-ctx.Done():
+			return c.Status(fiber.StatusRequestTimeout).JSON(fiber.Map{
+				"error": "Request timeout",
+			})
+		}
+	}
+}

local/model/steam_2fa.go

@@ -0,0 +1,168 @@
+package model
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type Steam2FAStatus string
+
+const (
+	Steam2FAStatusIdle     Steam2FAStatus = "idle"
+	Steam2FAStatusPending  Steam2FAStatus = "pending"
+	Steam2FAStatusComplete Steam2FAStatus = "complete"
+	Steam2FAStatusError    Steam2FAStatus = "error"
+)
+
+type Steam2FARequest struct {
+	ID          string         `json:"id"`
+	Status      Steam2FAStatus `json:"status"`
+	Message     string         `json:"message"`
+	RequestTime time.Time      `json:"requestTime"`
+	CompletedAt *time.Time     `json:"completedAt,omitempty"`
+	ErrorMsg    string         `json:"errorMsg,omitempty"`
+	ServerID    *uuid.UUID     `json:"serverId,omitempty"`
+}
+
+// Steam2FAManager manages 2FA requests and responses
+type Steam2FAManager struct {
+	mu       sync.RWMutex
+	requests map[string]*Steam2FARequest
+	channels map[string]chan bool
+}
+
+func NewSteam2FAManager() *Steam2FAManager {
+	return &Steam2FAManager{
+		requests: make(map[string]*Steam2FARequest),
+		channels: make(map[string]chan bool),
+	}
+}
+
+func (m *Steam2FAManager) CreateRequest(message string, serverID *uuid.UUID) *Steam2FARequest {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	id := uuid.New().String()
+	request := &Steam2FARequest{
+		ID:          id,
+		Status:      Steam2FAStatusPending,
+		Message:     message,
+		RequestTime: time.Now(),
+		ServerID:    serverID,
+	}
+
+	m.requests[id] = request
+	m.channels[id] = make(chan bool, 1)
+
+	return request
+}
+
+func (m *Steam2FAManager) GetRequest(id string) (*Steam2FARequest, bool) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	req, exists := m.requests[id]
+	return req, exists
+}
+
+func (m *Steam2FAManager) GetPendingRequests() []*Steam2FARequest {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	var pending []*Steam2FARequest
+	for _, req := range m.requests {
+		if req.Status == Steam2FAStatusPending {
+			pending = append(pending, req)
+		}
+	}
+	return pending
+}
+
+func (m *Steam2FAManager) CompleteRequest(id string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	req, exists := m.requests[id]
+	if !exists {
+		return fmt.Errorf("request %s not found", id)
+	}
+
+	if req.Status != Steam2FAStatusPending {
+		return fmt.Errorf("request %s is not pending", id)
+	}
+
+	now := time.Now()
+	req.Status = Steam2FAStatusComplete
+	req.CompletedAt = &now
+
+	// Signal the waiting goroutine
+	if ch, exists := m.channels[id]; exists {
+		select {
+		case ch <- true:
+		default:
+		}
+	}
+
+	return nil
+}
+
+func (m *Steam2FAManager) ErrorRequest(id string, errorMsg string) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	req, exists := m.requests[id]
+	if !exists {
+		return fmt.Errorf("request %s not found", id)
+	}
+
+	req.Status = Steam2FAStatusError
+	req.ErrorMsg = errorMsg
+
+	// Signal the waiting goroutine with error
+	if ch, exists := m.channels[id]; exists {
+		select {
+		case ch <- false:
+		default:
+		}
+	}
+
+	return nil
+}
+
+func (m *Steam2FAManager) WaitForCompletion(id string, timeout time.Duration) (bool, error) {
+	m.mu.RLock()
+	ch, exists := m.channels[id]
+	m.mu.RUnlock()
+
+	if !exists {
+		return false, fmt.Errorf("request %s not found", id)
+	}
+
+	select {
+	case success := <-ch:
+		return success, nil
+	case <-time.After(timeout):
+		// Timeout - mark as error
+		m.ErrorRequest(id, "timeout waiting for 2FA confirmation")
+		return false, fmt.Errorf("timeout waiting for 2FA confirmation")
+	}
+}
+
+func (m *Steam2FAManager) CleanupOldRequests(maxAge time.Duration) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	cutoff := time.Now().Add(-maxAge)
+	for id, req := range m.requests {
+		if req.RequestTime.Before(cutoff) {
+			delete(m.requests, id)
+			if ch, exists := m.channels[id]; exists {
+				close(ch)
+				delete(m.channels, id)
+			}
+		}
+	}
+}

local/repository/repository.go

@@ -1,6 +1,12 @@
 package repository
 
 import (
+	"acc-server-manager/local/model"
+	"acc-server-manager/local/utl/graceful"
+	"acc-server-manager/local/utl/logging"
+	"context"
+	"time"
+
 	"go.uber.org/dig"
 )
 
@@ -17,4 +23,29 @@ func InitializeRepositories(c *dig.Container) {
 	c.Provide(NewLookupRepository)
 	c.Provide(NewSteamCredentialsRepository)
 	c.Provide(NewMembershipRepository)
+
+	// Provide the Steam2FAManager as a singleton
+	if err := c.Provide(func() *model.Steam2FAManager {
+		manager := model.NewSteam2FAManager()
+		
+		// Use graceful shutdown manager for cleanup goroutine
+		shutdownManager := graceful.GetManager()
+		shutdownManager.RunGoroutine(func(ctx context.Context) {
+			ticker := time.NewTicker(15 * time.Minute)
+			defer ticker.Stop()
+			
+			for {
+				select {
+				case <-ctx.Done():
+					return
+				case <-ticker.C:
+					manager.CleanupOldRequests(30 * time.Minute)
+				}
+			}
+		})
+		
+		return manager
+	}); err != nil {
+		logging.Panic("unable to initialize steam 2fa manager")
+	}
 }

local/service/membership.go

@@ -22,13 +22,17 @@ type CacheInvalidator interface {
 type MembershipService struct {
 	repo             *repository.MembershipRepository
 	cacheInvalidator CacheInvalidator
+	jwtHandler       *jwt.JWTHandler
+	openJwtHandler   *jwt.OpenJWTHandler
 }
 
 // NewMembershipService creates a new MembershipService.
-func NewMembershipService(repo *repository.MembershipRepository) *MembershipService {
+func NewMembershipService(repo *repository.MembershipRepository, jwtHandler *jwt.JWTHandler, openJwtHandler *jwt.OpenJWTHandler) *MembershipService {
 	return &MembershipService{
 		repo:             repo,
 		cacheInvalidator: nil, // Will be set later via SetCacheInvalidator
+		jwtHandler:       jwtHandler,
+		openJwtHandler:   openJwtHandler,
 	}
 }
 
@@ -38,18 +42,37 @@ func (s *MembershipService) SetCacheInvalidator(invalidator CacheInvalidator) {
 }
 
 // Login authenticates a user and returns a JWT.
-func (s *MembershipService) Login(ctx context.Context, username, password string) (string, error) {
+func (s *MembershipService) HandleLogin(ctx context.Context, username, password string) (*model.User, error) {
 	user, err := s.repo.FindUserByUsername(ctx, username)
 	if err != nil {
-		return "", errors.New("invalid credentials")
+		return nil, errors.New("invalid credentials")
 	}
 
 	// Use secure password verification with constant-time comparison
 	if err := user.VerifyPassword(password); err != nil {
-		return "", errors.New("invalid credentials")
+		return nil, errors.New("invalid credentials")
 	}
 
-	return jwt.GenerateToken(user)
+	return user, nil
+}
+
+// Login authenticates a user and returns a JWT.
+func (s *MembershipService) Login(ctx context.Context, username, password string) (string, error) {
+	user, err := s.HandleLogin(ctx, username, password)
+	if err != nil {
+		return "", err
+	}
+
+	return s.jwtHandler.GenerateToken(user)
+}
+
+func (s *MembershipService) GenerateOpenToken(ctx context.Context, userId string) (string, error) {
+	user, err := s.repo.GetByID(ctx, userId)
+	if err != nil {
+		return "", err
+	}
+
+	return s.openJwtHandler.GenerateToken(user)
 }
 
 // CreateUser creates a new user.

local/service/server.go

@@ -337,7 +337,7 @@ func (s *ServerService) CreateServer(ctx *fiber.Ctx, server *model.Server) error
 	}
 
 	// Install server using SteamCMD
-	if err := s.steamService.InstallServer(ctx.UserContext(), server.GetServerPath()); err != nil {
+	if err := s.steamService.InstallServer(ctx.UserContext(), server.GetServerPath(), &server.ID); err != nil {
 		return fmt.Errorf("failed to install server: %v", err)
 	}
 
@@ -450,7 +450,7 @@ func (s *ServerService) UpdateServer(ctx *fiber.Ctx, server *model.Server) error
 
 	// Update server files if path changed
 	if existingServer.Path != server.Path {
-		if err := s.steamService.InstallServer(ctx.UserContext(), server.Path); err != nil {
+		if err := s.steamService.InstallServer(ctx.UserContext(), server.Path, &server.ID); err != nil {
 			return fmt.Errorf("failed to install server to new location: %v", err)
 		}
 		// Clean up old installation

local/service/service.go

@@ -18,12 +18,12 @@ func InitializeServices(c *dig.Container) {
 
 	logging.Debug("Registering services")
 	// Provide services
+	c.Provide(NewSteamService)
 	c.Provide(NewServerService)
 	c.Provide(NewStateHistoryService)
 	c.Provide(NewServiceControlService)
 	c.Provide(NewConfigService)
 	c.Provide(NewLookupService)
-	c.Provide(NewSteamService)
 	c.Provide(NewWindowsService)
 	c.Provide(NewFirewallService)
 	c.Provide(NewMembershipService)

local/service/steam_service.go

@@ -6,10 +6,14 @@ import (
 	"acc-server-manager/local/utl/command"
 	"acc-server-manager/local/utl/env"
 	"acc-server-manager/local/utl/logging"
+	"acc-server-manager/local/utl/security"
 	"context"
 	"fmt"
 	"os"
 	"path/filepath"
+	"time"
+
+	"github.com/google/uuid"
 )
 
 const (
@@ -18,16 +22,26 @@ const (
 
 type SteamService struct {
 	executor            *command.CommandExecutor
+	interactiveExecutor *command.InteractiveCommandExecutor
 	repository          *repository.SteamCredentialsRepository
+	tfaManager          *model.Steam2FAManager
+	pathValidator       *security.PathValidator
+	downloadVerifier    *security.DownloadVerifier
 }
 
-func NewSteamService(repository *repository.SteamCredentialsRepository) *SteamService {
-	return &SteamService{
-		executor: &command.CommandExecutor{
+func NewSteamService(repository *repository.SteamCredentialsRepository, tfaManager *model.Steam2FAManager) *SteamService {
+	baseExecutor := &command.CommandExecutor{
 		ExePath:   "powershell",
 		LogOutput: true,
-		},
+	}
+
+	return &SteamService{
+		executor:            baseExecutor,
+		interactiveExecutor: command.NewInteractiveCommandExecutor(baseExecutor, tfaManager),
 		repository:          repository,
+		tfaManager:          tfaManager,
+		pathValidator:       security.NewPathValidator(),
+		downloadVerifier:    security.NewDownloadVerifier(),
 	}
 }
 
@@ -42,7 +56,7 @@ func (s *SteamService) SaveCredentials(ctx context.Context, creds *model.SteamCr
 	return s.repository.Save(ctx, creds)
 }
 
-func (s *SteamService) ensureSteamCMD(ctx context.Context) error {
+func (s *SteamService) ensureSteamCMD(_ context.Context) error {
 	// Get SteamCMD path from environment variable
 	steamCMDPath := env.GetSteamCMDPath()
 	steamCMDDir := filepath.Dir(steamCMDPath)
@@ -57,10 +71,13 @@ func (s *SteamService) ensureSteamCMD(ctx context.Context) error {
 		return fmt.Errorf("failed to create SteamCMD directory: %v", err)
 	}
 
-	// Download and install SteamCMD
+	// Download and install SteamCMD securely
 	logging.Info("Downloading SteamCMD...")
-	if err := s.executor.Execute("-Command",
-		"Invoke-WebRequest -Uri 'https://steamcdn-a.akamaihd.net/client/installer/steamcmd.zip' -OutFile 'steamcmd.zip'"); err != nil {
+	steamCMDZip := filepath.Join(steamCMDDir, "steamcmd.zip")
+	if err := s.downloadVerifier.VerifyAndDownload(
+		"https://steamcdn-a.akamaihd.net/client/installer/steamcmd.zip",
+		steamCMDZip,
+		""); err != nil {
 		return fmt.Errorf("failed to download SteamCMD: %v", err)
 	}
 
@@ -76,11 +93,16 @@ func (s *SteamService) ensureSteamCMD(ctx context.Context) error {
 	return nil
 }
 
-func (s *SteamService) InstallServer(ctx context.Context, installPath string) error {
+func (s *SteamService) InstallServer(ctx context.Context, installPath string, serverID *uuid.UUID) error {
 	if err := s.ensureSteamCMD(ctx); err != nil {
 		return err
 	}
 
+	// Validate installation path for security
+	if err := s.pathValidator.ValidateInstallPath(installPath); err != nil {
+		return fmt.Errorf("invalid installation path: %v", err)
+	}
+
 	// Convert to absolute path and ensure proper Windows path format
 	absPath, err := filepath.Abs(installPath)
 	if err != nil {
@@ -126,17 +148,15 @@ func (s *SteamService) InstallServer(ctx context.Context, installPath string) er
 		"+quit",
 	)
 
-	// Run SteamCMD
+	// Use interactive executor to handle potential 2FA prompts
 	logging.Info("Installing ACC server to %s...", absPath)
-	if err := s.executor.Execute(args...); err != nil {
+	if err := s.interactiveExecutor.ExecuteInteractive(ctx, serverID, args...); err != nil {
 		return fmt.Errorf("failed to run SteamCMD: %v", err)
 	}
 
 	// Add a delay to allow Steam to properly cleanup
 	logging.Info("Waiting for Steam operations to complete...")
-	if err := s.executor.Execute("-Command", "Start-Sleep -Seconds 5"); err != nil {
-		logging.Warn("Failed to wait after Steam operations: %v", err)
-	}
+	time.Sleep(5 * time.Second)
 
 	// Verify installation
 	exePath := filepath.Join(absPath, "server", "accServer.exe")
@@ -148,8 +168,8 @@ func (s *SteamService) InstallServer(ctx context.Context, installPath string) er
 	return nil
 }
 
-func (s *SteamService) UpdateServer(ctx context.Context, installPath string) error {
-	return s.InstallServer(ctx, installPath) // Same process as install
+func (s *SteamService) UpdateServer(ctx context.Context, installPath string, serverID *uuid.UUID) error {
+	return s.InstallServer(ctx, installPath, serverID) // Same process as install
 }
 
 func (s *SteamService) UninstallServer(installPath string) error {

local/utl/audit/audit.go

@@ -0,0 +1,64 @@
+package audit
+
+import (
+	"acc-server-manager/local/utl/logging"
+	"context"
+	"time"
+)
+
+type AuditAction string
+
+const (
+	ActionLogin          AuditAction = "LOGIN"
+	ActionLogout         AuditAction = "LOGOUT"
+	ActionServerCreate   AuditAction = "SERVER_CREATE"
+	ActionServerUpdate   AuditAction = "SERVER_UPDATE"
+	ActionServerDelete   AuditAction = "SERVER_DELETE"
+	ActionServerStart    AuditAction = "SERVER_START"
+	ActionServerStop     AuditAction = "SERVER_STOP"
+	ActionUserCreate     AuditAction = "USER_CREATE"
+	ActionUserUpdate     AuditAction = "USER_UPDATE"
+	ActionUserDelete     AuditAction = "USER_DELETE"
+	ActionConfigUpdate   AuditAction = "CONFIG_UPDATE"
+	ActionSteamAuth      AuditAction = "STEAM_AUTH"
+	ActionPermissionGrant AuditAction = "PERMISSION_GRANT"
+	ActionPermissionRevoke AuditAction = "PERMISSION_REVOKE"
+)
+
+type AuditEntry struct {
+	Timestamp time.Time   `json:"timestamp"`
+	UserID    string      `json:"user_id"`
+	Username  string      `json:"username"`
+	Action    AuditAction `json:"action"`
+	Resource  string      `json:"resource"`
+	Details   string      `json:"details"`
+	IPAddress string      `json:"ip_address"`
+	UserAgent string      `json:"user_agent"`
+	Success   bool        `json:"success"`
+}
+
+func LogAction(ctx context.Context, userID, username string, action AuditAction, resource, details, ipAddress, userAgent string, success bool) {
+	logging.InfoWithContext("AUDIT", "User %s (%s) performed %s on %s from %s - Success: %t - Details: %s",
+		username, userID, action, resource, ipAddress, success, details)
+}
+
+func LogAuthAction(ctx context.Context, username, ipAddress, userAgent string, success bool, details string) {
+	action := ActionLogin
+	if !success {
+		details = "Failed: " + details
+	}
+	
+	LogAction(ctx, "", username, action, "authentication", details, ipAddress, userAgent, success)
+}
+
+func LogServerAction(ctx context.Context, userID, username string, action AuditAction, serverID, ipAddress, userAgent string, success bool, details string) {
+	LogAction(ctx, userID, username, action, "server:"+serverID, details, ipAddress, userAgent, success)
+}
+
+func LogUserManagementAction(ctx context.Context, adminUserID, adminUsername string, action AuditAction, targetUserID, ipAddress, userAgent string, success bool, details string) {
+	LogAction(ctx, adminUserID, adminUsername, action, "user:"+targetUserID, details, ipAddress, userAgent, success)
+}
+
+func LogConfigAction(ctx context.Context, userID, username string, configType, ipAddress, userAgent string, success bool, details string) {
+	LogAction(ctx, userID, username, ActionConfigUpdate, "config:"+configType, details, ipAddress, userAgent, success)
+}

local/utl/command/interactive_executor.go

@@ -0,0 +1,179 @@
+package command
+
+import (
+	"acc-server-manager/local/model"
+	"acc-server-manager/local/utl/logging"
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// InteractiveCommandExecutor extends CommandExecutor to handle interactive commands
+type InteractiveCommandExecutor struct {
+	*CommandExecutor
+	tfaManager *model.Steam2FAManager
+}
+
+func NewInteractiveCommandExecutor(baseExecutor *CommandExecutor, tfaManager *model.Steam2FAManager) *InteractiveCommandExecutor {
+	return &InteractiveCommandExecutor{
+		CommandExecutor: baseExecutor,
+		tfaManager:      tfaManager,
+	}
+}
+
+// ExecuteInteractive runs a command that may require 2FA input
+func (e *InteractiveCommandExecutor) ExecuteInteractive(ctx context.Context, serverID *uuid.UUID, args ...string) error {
+	cmd := exec.CommandContext(ctx, e.ExePath, args...)
+
+	if e.WorkDir != "" {
+		cmd.Dir = e.WorkDir
+	}
+
+	// Create pipes for stdin, stdout, and stderr
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return fmt.Errorf("failed to create stdin pipe: %v", err)
+	}
+	defer stdin.Close()
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return fmt.Errorf("failed to create stdout pipe: %v", err)
+	}
+	defer stdout.Close()
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return fmt.Errorf("failed to create stderr pipe: %v", err)
+	}
+	defer stderr.Close()
+
+	logging.Info("Executing interactive command: %s %s", e.ExePath, strings.Join(args, " "))
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("failed to start command: %v", err)
+	}
+
+	// Create channels for output monitoring
+	outputDone := make(chan error)
+
+	// Monitor stdout and stderr for 2FA prompts
+	go e.monitorOutput(ctx, stdout, stderr, serverID, outputDone)
+
+	// Wait for either the command to finish or output monitoring to complete
+	cmdErr := cmd.Wait()
+	outputErr := <-outputDone
+
+	if outputErr != nil {
+		logging.Warn("Output monitoring error: %v", outputErr)
+	}
+
+	return cmdErr
+}
+
+func (e *InteractiveCommandExecutor) monitorOutput(ctx context.Context, stdout, stderr io.Reader, serverID *uuid.UUID, done chan error) {
+	defer close(done)
+
+	// Create scanners for both outputs
+	stdoutScanner := bufio.NewScanner(stdout)
+	stderrScanner := bufio.NewScanner(stderr)
+
+	outputChan := make(chan string)
+
+	// Read from stdout
+	go func() {
+		for stdoutScanner.Scan() {
+			line := stdoutScanner.Text()
+			if e.LogOutput {
+				logging.Info("STDOUT: %s", line)
+			}
+			outputChan <- line
+		}
+	}()
+
+	// Read from stderr
+	go func() {
+		for stderrScanner.Scan() {
+			line := stderrScanner.Text()
+			if e.LogOutput {
+				logging.Info("STDERR: %s", line)
+			}
+			outputChan <- line
+		}
+	}()
+
+	// Monitor for 2FA prompts
+	for {
+		select {
+		case <-ctx.Done():
+			done <- ctx.Err()
+			return
+		case line, ok := <-outputChan:
+			if !ok {
+				done <- nil
+				return
+			}
+
+			// Check if this line indicates a 2FA prompt
+			if e.is2FAPrompt(line) {
+				if err := e.handle2FAPrompt(ctx, line, serverID); err != nil {
+					logging.Error("Failed to handle 2FA prompt: %v", err)
+					done <- err
+					return
+				}
+			}
+		}
+	}
+}
+
+func (e *InteractiveCommandExecutor) is2FAPrompt(line string) bool {
+	// Common SteamCMD 2FA prompts
+	twoFAKeywords := []string{
+		"please enter your steam guard code",
+		"steam guard",
+		"two-factor",
+		"authentication code",
+		"please check your steam mobile app",
+		"confirm in application",
+	}
+
+	lowerLine := strings.ToLower(line)
+	for _, keyword := range twoFAKeywords {
+		if strings.Contains(lowerLine, keyword) {
+			return true
+		}
+	}
+	return false
+}
+
+func (e *InteractiveCommandExecutor) handle2FAPrompt(_ context.Context, promptLine string, serverID *uuid.UUID) error {
+	logging.Info("2FA prompt detected: %s", promptLine)
+
+	// Create a 2FA request
+	request := e.tfaManager.CreateRequest(promptLine, serverID)
+	logging.Info("Created 2FA request with ID: %s", request.ID)
+
+	// Wait for user to complete the 2FA process
+	// Use a reasonable timeout (e.g., 5 minutes)
+	timeout := 5 * time.Minute
+	success, err := e.tfaManager.WaitForCompletion(request.ID, timeout)
+
+	if err != nil {
+		logging.Error("2FA completion failed: %v", err)
+		return err
+	}
+
+	if !success {
+		logging.Error("2FA was not completed successfully")
+		return fmt.Errorf("2FA authentication failed")
+	}
+
+	logging.Info("2FA completed successfully")
+	return nil
+}

local/utl/common/common.go

@@ -25,6 +25,7 @@ type RouteGroups struct {
 	StateHistory fiber.Router
 	Membership   fiber.Router
 	System       fiber.Router
+	Steam2FA     fiber.Router
 }
 
 func CheckError(err error) {

local/utl/configs/configs.go

@@ -8,7 +8,7 @@ import (
 )
 
 var (
-	Version       = "0.10.3"
+	Version       = "0.10.5"
 	Prefix        = "v1"
 	Secret        string
 	SecretCode    string

local/utl/errors/safe_error.go

@@ -0,0 +1,67 @@
+package errors
+
+import (
+	"acc-server-manager/local/utl/logging"
+	"fmt"
+	"os"
+)
+
+type SafeError struct {
+	Message string
+	Code    int
+	Fatal   bool
+}
+
+func (e *SafeError) Error() string {
+	return e.Message
+}
+
+func NewSafeError(message string, code int) *SafeError {
+	return &SafeError{
+		Message: message,
+		Code:    code,
+		Fatal:   false,
+	}
+}
+
+func NewFatalError(message string, code int) *SafeError {
+	return &SafeError{
+		Message: message,
+		Code:    code,
+		Fatal:   true,
+	}
+}
+
+func HandleError(err error, context string) {
+	if err == nil {
+		return
+	}
+
+	if safeErr, ok := err.(*SafeError); ok {
+		if safeErr.Fatal {
+			logging.Error("Fatal error in %s: %s", context, safeErr.Message)
+			if os.Getenv("ENVIRONMENT") == "production" {
+				logging.Error("Application shutting down due to fatal error")
+				os.Exit(safeErr.Code)
+			} else {
+				logging.Warn("Fatal error occurred but not exiting in non-production environment")
+			}
+		} else {
+			logging.Error("Error in %s: %s", context, safeErr.Message)
+		}
+	} else {
+		logging.Error("Unexpected error in %s: %v", context, err)
+	}
+}
+
+func SafeFatal(message string, args ...interface{}) {
+	formattedMessage := fmt.Sprintf(message, args...)
+	err := NewFatalError(formattedMessage, 1)
+	HandleError(err, "application")
+}
+
+func SafeLog(message string, args ...interface{}) {
+	formattedMessage := fmt.Sprintf(message, args...)
+	err := NewSafeError(formattedMessage, 0)
+	HandleError(err, "application")
+}

local/utl/graceful/shutdown.go

@@ -0,0 +1,91 @@
+package graceful
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"sync"
+	"syscall"
+	"time"
+)
+
+type ShutdownManager struct {
+	ctx      context.Context
+	cancel   context.CancelFunc
+	wg       sync.WaitGroup
+	handlers []func() error
+	mutex    sync.Mutex
+}
+
+var globalManager *ShutdownManager
+var once sync.Once
+
+func GetManager() *ShutdownManager {
+	once.Do(func() {
+		ctx, cancel := context.WithCancel(context.Background())
+		globalManager = &ShutdownManager{
+			ctx:      ctx,
+			cancel:   cancel,
+			handlers: make([]func() error, 0),
+		}
+		
+		go globalManager.watchSignals()
+	})
+	return globalManager
+}
+
+func (sm *ShutdownManager) watchSignals() {
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+	
+	<-sigChan
+	sm.Shutdown(30 * time.Second)
+}
+
+func (sm *ShutdownManager) AddHandler(handler func() error) {
+	sm.mutex.Lock()
+	defer sm.mutex.Unlock()
+	sm.handlers = append(sm.handlers, handler)
+}
+
+func (sm *ShutdownManager) Context() context.Context {
+	return sm.ctx
+}
+
+func (sm *ShutdownManager) AddGoroutine() {
+	sm.wg.Add(1)
+}
+
+func (sm *ShutdownManager) GoroutineDone() {
+	sm.wg.Done()
+}
+
+func (sm *ShutdownManager) RunGoroutine(fn func(ctx context.Context)) {
+	sm.wg.Add(1)
+	go func() {
+		defer sm.wg.Done()
+		fn(sm.ctx)
+	}()
+}
+
+func (sm *ShutdownManager) Shutdown(timeout time.Duration) {
+	sm.cancel()
+	
+	done := make(chan struct{})
+	go func() {
+		sm.wg.Wait()
+		
+		sm.mutex.Lock()
+		for _, handler := range sm.handlers {
+			handler()
+		}
+		sm.mutex.Unlock()
+		
+		close(done)
+	}()
+	
+	select {
+	case <-done:
+	case <-time.After(timeout):
+	}
+}

local/utl/jwt/jwt.go

@@ -2,57 +2,73 @@ package jwt
 
 import (
 	"acc-server-manager/local/model"
+	"acc-server-manager/local/utl/errors"
 	"crypto/rand"
 	"encoding/base64"
-	"errors"
-	"log"
-	"os"
+	goerrors "errors"
 	"time"
 
 	"github.com/golang-jwt/jwt/v4"
 )
 
-// SecretKey holds the JWT signing key loaded from environment
-var SecretKey []byte
-
 // Claims represents the JWT claims.
 type Claims struct {
 	UserID string `json:"user_id"`
 	jwt.RegisteredClaims
 }
 
-// init initializes the JWT secret key from environment variable
-func Init() {
-	jwtSecret := os.Getenv("JWT_SECRET")
-	if jwtSecret == "" {
-		log.Fatal("JWT_SECRET environment variable is required and cannot be empty")
+type JWTHandler struct {
+	SecretKey []byte
+}
+
+type OpenJWTHandler struct {
+	*JWTHandler
+}
+
+// NewJWTHandler creates a new JWTHandler instance with the provided secret key.
+func NewOpenJWTHandler(jwtSecret string) *OpenJWTHandler {
+	jwtHandler := NewJWTHandler(jwtSecret)
+	return &OpenJWTHandler{
+		JWTHandler: jwtHandler,
 	}
+}
+
+// NewJWTHandler creates a new JWTHandler instance with the provided secret key.
+func NewJWTHandler(jwtSecret string) *JWTHandler {
+	if jwtSecret == "" {
+		errors.SafeFatal("JWT_SECRET environment variable is required and cannot be empty")
+	}
+
+	var secretKey []byte
 
 	// Decode base64 secret if it looks like base64, otherwise use as-is
 	if decoded, err := base64.StdEncoding.DecodeString(jwtSecret); err == nil && len(decoded) >= 32 {
-		SecretKey = decoded
+		secretKey = decoded
 	} else {
-		SecretKey = []byte(jwtSecret)
+		secretKey = []byte(jwtSecret)
 	}
 
 	// Ensure minimum key length for security
-	if len(SecretKey) < 32 {
-		log.Fatal("JWT_SECRET must be at least 32 bytes long for security")
+	if len(secretKey) < 32 {
+		errors.SafeFatal("JWT_SECRET must be at least 32 bytes long for security")
+	}
+	return &JWTHandler{
+		SecretKey: secretKey,
 	}
 }
 
 // GenerateSecretKey generates a cryptographically secure random key for JWT signing
 // This is a utility function for generating new secrets, not used in normal operation
-func GenerateSecretKey() string {
+func (jh *JWTHandler) GenerateSecretKey() string {
 	key := make([]byte, 64) // 512 bits
 	if _, err := rand.Read(key); err != nil {
-		log.Fatal("Failed to generate random key: ", err)
+		errors.SafeFatal("Failed to generate random key: %v", err)
 	}
 	return base64.StdEncoding.EncodeToString(key)
 }
 
 // GenerateToken generates a new JWT for a given user.
-func GenerateToken(user *model.User) (string, error) {
+func (jh *JWTHandler) GenerateToken(user *model.User) (string, error) {
 	expirationTime := time.Now().Add(24 * time.Hour)
 	claims := &Claims{
 		UserID: user.ID.String(),
@@ -62,10 +78,10 @@ func GenerateToken(user *model.User) (string, error) {
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString(SecretKey)
+	return token.SignedString(jh.SecretKey)
 }
 
-func GenerateTokenWithExpiry(user *model.User, expiry time.Time) (string, error) {
+func (jh *JWTHandler) GenerateTokenWithExpiry(user *model.User, expiry time.Time) (string, error) {
 	expirationTime := expiry
 	claims := &Claims{
 		UserID: user.ID.String(),
@@ -75,15 +91,15 @@ func GenerateTokenWithExpiry(user *model.User, expiry time.Time) (string, error)
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString(SecretKey)
+	return token.SignedString(jh.SecretKey)
 }
 
 // ValidateToken validates a JWT and returns the claims if the token is valid.
-func ValidateToken(tokenString string) (*Claims, error) {
+func (jh *JWTHandler) ValidateToken(tokenString string) (*Claims, error) {
 	claims := &Claims{}
 
 	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
-		return SecretKey, nil
+		return jh.SecretKey, nil
 	})
 
 	if err != nil {
@@ -91,7 +107,7 @@ func ValidateToken(tokenString string) (*Claims, error) {
 	}
 
 	if !token.Valid {
-		return nil, errors.New("invalid token")
+		return nil, goerrors.New("invalid token")
 	}
 
 	return claims, nil

local/utl/security/download_verifier.go

@@ -0,0 +1,76 @@
+package security
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"time"
+)
+
+type DownloadVerifier struct {
+	client *http.Client
+}
+
+func NewDownloadVerifier() *DownloadVerifier {
+	return &DownloadVerifier{
+		client: &http.Client{
+			Timeout: 30 * time.Second,
+			Transport: &http.Transport{
+				DisableKeepAlives: true,
+			},
+		},
+	}
+}
+
+func (dv *DownloadVerifier) VerifyAndDownload(url, outputPath, expectedSHA256 string) error {
+	if url == "" {
+		return fmt.Errorf("URL cannot be empty")
+	}
+	if outputPath == "" {
+		return fmt.Errorf("output path cannot be empty")
+	}
+
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %v", err)
+	}
+
+	req.Header.Set("User-Agent", "ACC-Server-Manager/1.0")
+
+	resp, err := dv.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to download: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("download failed with status: %d", resp.StatusCode)
+	}
+
+	file, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("failed to create output file: %v", err)
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	writer := io.MultiWriter(file, hash)
+
+	_, err = io.Copy(writer, resp.Body)
+	if err != nil {
+		os.Remove(outputPath)
+		return fmt.Errorf("failed to write file: %v", err)
+	}
+
+	if expectedSHA256 != "" {
+		actualHash := fmt.Sprintf("%x", hash.Sum(nil))
+		if actualHash != expectedSHA256 {
+			os.Remove(outputPath)
+			return fmt.Errorf("file hash mismatch: expected %s, got %s", expectedSHA256, actualHash)
+		}
+	}
+
+	return nil
+}

local/utl/security/path_validator.go

@@ -0,0 +1,95 @@
+package security
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+type PathValidator struct {
+	allowedBasePaths []string
+	blockedPatterns  []*regexp.Regexp
+}
+
+func NewPathValidator() *PathValidator {
+	blockedPatterns := []*regexp.Regexp{
+		regexp.MustCompile(`\.\.`),
+		regexp.MustCompile(`[<>:"|?*]`),
+		regexp.MustCompile(`^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$`),
+		regexp.MustCompile(`\x00`),
+		regexp.MustCompile(`^\\\\`),
+		regexp.MustCompile(`^[a-zA-Z]:\\Windows`),
+		regexp.MustCompile(`^[a-zA-Z]:\\Program Files`),
+	}
+
+	return &PathValidator{
+		allowedBasePaths: []string{
+			`C:\ACC-Servers`,
+			`D:\ACC-Servers`,
+			`E:\ACC-Servers`,
+			`C:\SteamCMD`,
+			`D:\SteamCMD`,
+			`E:\SteamCMD`,
+		},
+		blockedPatterns: blockedPatterns,
+	}
+}
+
+func (pv *PathValidator) ValidateInstallPath(path string) error {
+	if path == "" {
+		return fmt.Errorf("path cannot be empty")
+	}
+
+	cleanPath := filepath.Clean(path)
+	absPath, err := filepath.Abs(cleanPath)
+	if err != nil {
+		return fmt.Errorf("invalid path: %v", err)
+	}
+
+	for _, pattern := range pv.blockedPatterns {
+		if pattern.MatchString(absPath) || pattern.MatchString(strings.ToUpper(filepath.Base(absPath))) {
+			return fmt.Errorf("path contains forbidden patterns")
+		}
+	}
+
+	allowed := false
+	for _, basePath := range pv.allowedBasePaths {
+		if strings.HasPrefix(strings.ToLower(absPath), strings.ToLower(basePath)) {
+			allowed = true
+			break
+		}
+	}
+
+	if !allowed {
+		return fmt.Errorf("path must be within allowed directories: %v", pv.allowedBasePaths)
+	}
+
+	if len(absPath) > 260 {
+		return fmt.Errorf("path too long (max 260 characters)")
+	}
+
+	parentDir := filepath.Dir(absPath)
+	if parentInfo, err := os.Stat(parentDir); err == nil {
+		if !parentInfo.IsDir() {
+			return fmt.Errorf("parent path is not a directory")
+		}
+	}
+
+	return nil
+}
+
+func (pv *PathValidator) AddAllowedBasePath(path string) error {
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return fmt.Errorf("invalid base path: %v", err)
+	}
+
+	pv.allowedBasePaths = append(pv.allowedBasePaths, absPath)
+	return nil
+}
+
+func (pv *PathValidator) GetAllowedBasePaths() []string {
+	return append([]string(nil), pv.allowedBasePaths...)
+}

local/utl/server/server.go

@@ -30,6 +30,7 @@ func Start(di *dig.Container) *fiber.App {
 	app.Use(securityMW.SecurityHeaders())
 	app.Use(securityMW.LogSecurityEvents())
 	app.Use(securityMW.TimeoutMiddleware(30 * time.Second))
+	app.Use(securityMW.RequestContextTimeout(60 * time.Second))
 	app.Use(securityMW.RequestSizeLimit(10 * 1024 * 1024)) // 10MB
 	app.Use(securityMW.ValidateUserAgent())
 	app.Use(securityMW.ValidateContentType("application/json", "application/x-www-form-urlencoded", "multipart/form-data"))

swagger/docs.go

@@ -218,6 +218,52 @@ const docTemplate = `{
                 }
             }
         },
+        "/auth/open-token": {
+            "post": {
+                "description": "Generate an open token for a user",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Authentication"
+                ],
+                "summary": "Generate an open token",
+                "responses": {
+                    "200": {
+                        "description": "JWT token",
+                        "schema": {
+                            "type": "object",
+                            "properties": {
+                                "token": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Invalid request body",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Invalid credentials",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal server error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/lookup/car-models": {
             "get": {
                 "security": [
@@ -1777,6 +1823,182 @@ const docTemplate = `{
                 }
             }
         },
+        "/steam2fa/pending": {
+            "get": {
+                "description": "Get all pending Steam 2FA authentication requests",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Get pending 2FA requests",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/model.Steam2FARequest"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/steam2fa/{id}": {
+            "get": {
+                "description": "Get a specific Steam 2FA authentication request by ID",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Get 2FA request",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "2FA Request ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.Steam2FARequest"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/steam2fa/{id}/cancel": {
+            "post": {
+                "description": "Cancel a Steam 2FA authentication request",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Cancel 2FA request",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "2FA Request ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.Steam2FARequest"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/steam2fa/{id}/complete": {
+            "post": {
+                "description": "Mark a Steam 2FA authentication request as completed",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Complete 2FA request",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "2FA Request ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.Steam2FARequest"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/system/health": {
             "get": {
                 "description": "Return service control status",
@@ -1934,6 +2156,47 @@ const docTemplate = `{
                 "StatusRunning"
             ]
         },
+        "model.Steam2FARequest": {
+            "type": "object",
+            "properties": {
+                "completedAt": {
+                    "type": "string"
+                },
+                "errorMsg": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "message": {
+                    "type": "string"
+                },
+                "requestTime": {
+                    "type": "string"
+                },
+                "serverId": {
+                    "type": "string"
+                },
+                "status": {
+                    "$ref": "#/definitions/model.Steam2FAStatus"
+                }
+            }
+        },
+        "model.Steam2FAStatus": {
+            "type": "string",
+            "enum": [
+                "idle",
+                "pending",
+                "complete",
+                "error"
+            ],
+            "x-enum-varnames": [
+                "Steam2FAStatusIdle",
+                "Steam2FAStatusPending",
+                "Steam2FAStatusComplete",
+                "Steam2FAStatusError"
+            ]
+        },
         "model.User": {
             "type": "object",
             "properties": {

swagger/swagger.json

@@ -215,6 +215,52 @@
                 }
             }
         },
+        "/auth/open-token": {
+            "post": {
+                "description": "Generate an open token for a user",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Authentication"
+                ],
+                "summary": "Generate an open token",
+                "responses": {
+                    "200": {
+                        "description": "JWT token",
+                        "schema": {
+                            "type": "object",
+                            "properties": {
+                                "token": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Invalid request body",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Invalid credentials",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal server error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/lookup/car-models": {
             "get": {
                 "security": [
@@ -1774,6 +1820,182 @@
                 }
             }
         },
+        "/steam2fa/pending": {
+            "get": {
+                "description": "Get all pending Steam 2FA authentication requests",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Get pending 2FA requests",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/model.Steam2FARequest"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/steam2fa/{id}": {
+            "get": {
+                "description": "Get a specific Steam 2FA authentication request by ID",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Get 2FA request",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "2FA Request ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.Steam2FARequest"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/steam2fa/{id}/cancel": {
+            "post": {
+                "description": "Cancel a Steam 2FA authentication request",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Cancel 2FA request",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "2FA Request ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.Steam2FARequest"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/steam2fa/{id}/complete": {
+            "post": {
+                "description": "Mark a Steam 2FA authentication request as completed",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Steam 2FA"
+                ],
+                "summary": "Complete 2FA request",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "2FA Request ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/model.Steam2FARequest"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/error_handler.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/system/health": {
             "get": {
                 "description": "Return service control status",
@@ -1931,6 +2153,47 @@
                 "StatusRunning"
             ]
         },
+        "model.Steam2FARequest": {
+            "type": "object",
+            "properties": {
+                "completedAt": {
+                    "type": "string"
+                },
+                "errorMsg": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "message": {
+                    "type": "string"
+                },
+                "requestTime": {
+                    "type": "string"
+                },
+                "serverId": {
+                    "type": "string"
+                },
+                "status": {
+                    "$ref": "#/definitions/model.Steam2FAStatus"
+                }
+            }
+        },
+        "model.Steam2FAStatus": {
+            "type": "string",
+            "enum": [
+                "idle",
+                "pending",
+                "complete",
+                "error"
+            ],
+            "x-enum-varnames": [
+                "Steam2FAStatusIdle",
+                "Steam2FAStatusPending",
+                "Steam2FAStatusComplete",
+                "Steam2FAStatusError"
+            ]
+        },
         "model.User": {
             "type": "object",
             "properties": {

swagger/swagger.yaml

@@ -92,6 +92,35 @@ definitions:
     - StatusRestarting
     - StatusStarting
     - StatusRunning
+  model.Steam2FARequest:
+    properties:
+      completedAt:
+        type: string
+      errorMsg:
+        type: string
+      id:
+        type: string
+      message:
+        type: string
+      requestTime:
+        type: string
+      serverId:
+        type: string
+      status:
+        $ref: '#/definitions/model.Steam2FAStatus'
+    type: object
+  model.Steam2FAStatus:
+    enum:
+    - idle
+    - pending
+    - complete
+    - error
+    type: string
+    x-enum-varnames:
+    - Steam2FAStatusIdle
+    - Steam2FAStatusPending
+    - Steam2FAStatusComplete
+    - Steam2FAStatusError
   model.User:
     properties:
       id:
@@ -247,6 +276,36 @@ paths:
       summary: Get current user details
       tags:
       - Authentication
+  /auth/open-token:
+    post:
+      consumes:
+      - application/json
+      description: Generate an open token for a user
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: JWT token
+          schema:
+            properties:
+              token:
+                type: string
+            type: object
+        "400":
+          description: Invalid request body
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "401":
+          description: Invalid credentials
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "500":
+          description: Internal server error
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+      summary: Generate an open token
+      tags:
+      - Authentication
   /lookup/car-models:
     get:
       consumes:
@@ -1242,6 +1301,122 @@ paths:
       summary: Return StateHistorys
       tags:
       - StateHistory
+  /steam2fa/{id}:
+    get:
+      consumes:
+      - application/json
+      description: Get a specific Steam 2FA authentication request by ID
+      parameters:
+      - description: 2FA Request ID
+        in: path
+        name: id
+        required: true
+        type: string
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/model.Steam2FARequest'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+      summary: Get 2FA request
+      tags:
+      - Steam 2FA
+  /steam2fa/{id}/cancel:
+    post:
+      consumes:
+      - application/json
+      description: Cancel a Steam 2FA authentication request
+      parameters:
+      - description: 2FA Request ID
+        in: path
+        name: id
+        required: true
+        type: string
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/model.Steam2FARequest'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+      summary: Cancel 2FA request
+      tags:
+      - Steam 2FA
+  /steam2fa/{id}/complete:
+    post:
+      consumes:
+      - application/json
+      description: Mark a Steam 2FA authentication request as completed
+      parameters:
+      - description: 2FA Request ID
+        in: path
+        name: id
+        required: true
+        type: string
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/model.Steam2FARequest'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+      summary: Complete 2FA request
+      tags:
+      - Steam 2FA
+  /steam2fa/pending:
+    get:
+      consumes:
+      - application/json
+      description: Get all pending Steam 2FA authentication requests
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              $ref: '#/definitions/model.Steam2FARequest'
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/error_handler.ErrorResponse'
+      summary: Get pending 2FA requests
+      tags:
+      - Steam 2FA
   /system/health:
     get:
       description: Return service control status

tests/auth_helper.go

@@ -4,6 +4,7 @@ import (
 	"acc-server-manager/local/model"
 	"acc-server-manager/local/utl/jwt"
 	"fmt"
+	"os"
 	"time"
 
 	"github.com/google/uuid"
@@ -18,8 +19,16 @@ func GenerateTestToken() (string, error) {
 		RoleID:   uuid.New(),
 	}
 
+	// Use the environment JWT_SECRET for consistency with middleware
+	testSecret := os.Getenv("JWT_SECRET")
+	if testSecret == "" {
+		// Fallback to a test secret if env var is not set
+		testSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(testSecret)
+
 	// Generate JWT token
-	token, err := jwt.GenerateToken(user)
+	token, err := jwtHandler.GenerateToken(user)
 	if err != nil {
 		return "", fmt.Errorf("failed to generate test token: %w", err)
 	}
@@ -39,6 +48,14 @@ func MustGenerateTestToken() string {
 
 // GenerateTestTokenWithExpiry creates a JWT token with a specific expiry time
 func GenerateTestTokenWithExpiry(expiryTime time.Time) (string, error) {
+	// Use the environment JWT_SECRET for consistency with middleware
+	testSecret := os.Getenv("JWT_SECRET")
+	if testSecret == "" {
+		// Fallback to a test secret if env var is not set
+		testSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(testSecret)
+	
 	// Create test user
 	user := &model.User{
 		ID:       uuid.New(),
@@ -47,7 +64,7 @@ func GenerateTestTokenWithExpiry(expiryTime time.Time) (string, error) {
 	}
 
 	// Generate JWT token with custom expiry
-	token, err := jwt.GenerateTokenWithExpiry(user, expiryTime)
+	token, err := jwtHandler.GenerateTokenWithExpiry(user, expiryTime)
 	if err != nil {
 		return "", fmt.Errorf("failed to generate test token with expiry: %w", err)
 	}

tests/test_helper.go

@@ -3,7 +3,6 @@ package tests
 import (
 	"acc-server-manager/local/model"
 	"acc-server-manager/local/utl/configs"
-	"acc-server-manager/local/utl/jwt"
 	"bytes"
 	"context"
 	"errors"
@@ -52,7 +51,6 @@ func SetTestEnv() {
 	os.Setenv("TESTING_ENV", "true") // Used to bypass
 
 	configs.Init()
-	jwt.Init()
 }
 
 // NewTestHelper creates a new test helper with in-memory database

tests/unit/controller/helper.go

@@ -4,7 +4,9 @@ import (
 	"acc-server-manager/local/middleware"
 	"acc-server-manager/local/service"
 	"acc-server-manager/local/utl/cache"
+	"acc-server-manager/local/utl/jwt"
 	"acc-server-manager/tests"
+	"os"
 
 	"github.com/gofiber/fiber/v2"
 )
@@ -15,9 +17,18 @@ type MockMiddleware struct{}
 // GetTestAuthMiddleware returns a mock auth middleware that can be used in place of the real one
 // This works because we're adding real authentication tokens to requests
 func GetTestAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache) *middleware.AuthMiddleware {
+	// Use environment JWT secrets for consistency with token generation
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret) // Use same secret for test consistency
+	
 	// Cast our mock to the real type for testing
 	// This is a type-unsafe cast but works for testing because we're using real JWT tokens
-	return middleware.NewAuthMiddleware(ms, cache)
+	return middleware.NewAuthMiddleware(ms, cache, jwtHandler, openJWTHandler)
 }
 
 // AddAuthToRequest adds a valid authentication token to a test request

tests/unit/controller/state_history_controller_test.go

@@ -7,6 +7,7 @@ import (
 	"acc-server-manager/local/service"
 	"acc-server-manager/local/utl/cache"
 	"acc-server-manager/local/utl/common"
+	"acc-server-manager/local/utl/jwt"
 	"acc-server-manager/tests"
 	"acc-server-manager/tests/testdata"
 	"encoding/json"
@@ -14,6 +15,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 
 	"github.com/gofiber/fiber/v2"
@@ -32,7 +34,13 @@ func TestStateHistoryController_GetAll_Success(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -86,7 +94,13 @@ func TestStateHistoryController_GetAll_WithSessionFilter(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -145,7 +159,13 @@ func TestStateHistoryController_GetAll_EmptyResult(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -185,7 +205,13 @@ func TestStateHistoryController_GetStatistics_Success(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -262,7 +288,13 @@ func TestStateHistoryController_GetStatistics_NoData(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -321,7 +353,13 @@ func TestStateHistoryController_GetStatistics_InvalidQueryParams(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -365,7 +403,13 @@ func TestStateHistoryController_HTTPMethods(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -419,7 +463,13 @@ func TestStateHistoryController_ContentType(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 
@@ -481,7 +531,13 @@ func TestStateHistoryController_ResponseStructure(t *testing.T) {
 	stateHistoryService := service.NewStateHistoryService(repo)
 
 	membershipRepo := repository.NewMembershipRepository(helper.DB)
-	membershipService := service.NewMembershipService(membershipRepo)
+	jwtSecret := os.Getenv("JWT_SECRET")
+	if jwtSecret == "" {
+		jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
+	}
+	jwtHandler := jwt.NewJWTHandler(jwtSecret)
+	openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
+	membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
 
 	inMemCache := cache.NewInMemoryCache()
 

tests/unit/service/auth_simple_test.go

@@ -5,6 +5,7 @@ import (
 	"acc-server-manager/local/utl/jwt"
 	"acc-server-manager/local/utl/password"
 	"acc-server-manager/tests"
+	"os"
 	"testing"
 
 	"github.com/google/uuid"
@@ -15,6 +16,8 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
 	helper := tests.NewTestHelper(t)
 	defer helper.Cleanup()
 
+	jwtHandler := jwt.NewJWTHandler(os.Getenv("JWT_SECRET"))
+
 	// Create test user
 	user := &model.User{
 		ID:       uuid.New(),
@@ -23,7 +26,7 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
 	}
 
 	// Test JWT generation
-	token, err := jwt.GenerateToken(user)
+	token, err := jwtHandler.GenerateToken(user)
 	tests.AssertNoError(t, err)
 	tests.AssertNotNil(t, token)
 
@@ -33,7 +36,7 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
 	}
 
 	// Test JWT validation
-	claims, err := jwt.ValidateToken(token)
+	claims, err := jwtHandler.ValidateToken(token)
 	tests.AssertNoError(t, err)
 	tests.AssertNotNil(t, claims)
 	tests.AssertEqual(t, user.ID.String(), claims.UserID)
@@ -43,9 +46,10 @@ func TestJWT_ValidateToken_InvalidToken(t *testing.T) {
 	// Setup
 	helper := tests.NewTestHelper(t)
 	defer helper.Cleanup()
+	jwtHandler := jwt.NewJWTHandler(os.Getenv("JWT_SECRET"))
 
 	// Test with invalid token
-	claims, err := jwt.ValidateToken("invalid-token")
+	claims, err := jwtHandler.ValidateToken("invalid-token")
 	if err == nil {
 		t.Fatal("Expected error for invalid token, got nil")
 	}
@@ -59,9 +63,10 @@ func TestJWT_ValidateToken_EmptyToken(t *testing.T) {
 	// Setup
 	helper := tests.NewTestHelper(t)
 	defer helper.Cleanup()
+	jwtHandler := jwt.NewJWTHandler(os.Getenv("JWT_SECRET"))
 
 	// Test with empty token
-	claims, err := jwt.ValidateToken("")
+	claims, err := jwtHandler.ValidateToken("")
 	if err == nil {
 		t.Fatal("Expected error for empty token, got nil")
 	}