Instead we could return something to indicate that further authentication is required. There are a number of ways this could be done, but I'm wondering if maybe not returning the user on successful login with 2fa enabled would be the easiest. Since we have ACLs, this, in a nutshell, means we need to treat them like they're anonymous and subjected to the restrictions of public read/write. If validation succeeds clear the block and allow the user normal access with their session token.Īs for blocking requests when pending 2fa, the primary concern is in making sure that until the user can authenticate themselves they should not be granted access as themselves.The session upon login, but pending 2fa, would have to be available to the user, but locked to any further action. Upon login, if twoFactorEnabled is true request that the user proceed to submit their second factor code, again this could go separately to something like verifyTwoFactor, maybe taking the username and code.Could be spread out further or consolidated into one endpoint though. add some routes to UsersRouter.js like enableTwoFactor to get a QRCode/token, disableTwoFactor to remove it and verifyTwoFactor to actually run the check.twoFactorSecret for this user (if the above is set), could screen this field away from querying since it's a bit sensitive.optional twoFactorEnabled on _User to track whether or not this is even an option.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |