defmodule Berrypod.Repo.Migrations.AddTotpToUsers do
  use Ecto.Migration

  def change do
    alter table(:users) do
      # Encrypted TOTP secret (20 bytes base32-encoded = 32 chars, but encrypted is larger)
      add :totp_secret_encrypted, :binary
      # When 2FA was enabled
      add :totp_enabled_at, :utc_datetime
      # Backup codes (encrypted JSON array of hashed codes)
      add :totp_backup_codes_encrypted, :binary
    end
  end
end