Hi,I have created an user and also setup OTP. When I logout and login back via Browser (HTML) after I enter my password, system asks me TFA Code. Good.However, When JSON API request made using username and password, I just get log in :(Ā
Does JSON supportĀ TFA auths? If so why am i not asked for TFA. If not how can I simply enable or replicate this behavior just like in HTML Views?
Hi Jeremy,Now this makes sense. However, the thing that confuses me was that there was no any message or code that asks me to send request to TFA.After user successfully logged in, how do I know if TFA required or not? Is there any api endpoint to check this? Because response just says "user logged in".
Hi Jeremy,
I'll be (and many users im sure) very happy to have such feature. Thank you for your quick reply and solution. š Because I tend to rely on full JSON API instead of implementing my own auth flow. It will be much more easier for many users including me to check extra endpoint if extra verification is needed or not. (Perhaps what will be needed can be added as a response such as TFA/SMS etc.. first)
Hi Jeremy!,WOW! Thank you so much. That was faster than I can imagine!I'll test the endpoints on my end using `master` branch ASAP. And hope you can release a new version soon for this.
Hi Jeremy,Here are the results. After /login as usual:Endpoint: /multifactor-manageResponse: 401 - You need to authenticate via an additional factor before continuing
Endpoint: /multifactor-authResponse: 200 - Links: ["/auth/api/v1/otp-auth"]So, The rest is to visit that OTP link and request a code from client as expected.
What if user does not have OTP/SMS?
Endpoint: /multifactor-manageResponse:Ā 200Ā - /otp-setup link given...
Endpoint: /multifactor-authResponse:Ā 403Ā -Ā This account has not been setup for multifactor authentication
Is there any other endpoint should I test?
Hi Jeremy,One more thing. Should we have something like this? Or would this break the standards?Current response:{Ā Ā "access_token": "ACCESS_TOKEN_HERE",Ā Ā "refresh_token": "REFRESH_TOKEN_HERE",Ā Ā "success": "You have been logged in"}Suggestion:{Ā Ā "access_token": "ACCESS_TOKEN_HERE",Ā Ā "refresh_token": "REFRESH_TOKEN_HERE",Ā Ā "success": "You have been logged in",Ā Ā "mfa": true # <-- here. or false if no multifactor required...}
>> Auth flow should be easy to handle.Ā After login, submit JSON request to multifactor-auth.Ā If 403 is returned, user is likely already fully authenticated.Ā If 200 is returned, you can use the auth_links to go to the next step in the flow.Ā Will that work for you?Absolutely. As soon as I get 403, job is done. Otherwise I'll do all necessary steps on the client side. Of course, If you have a better idea other than this, I'd like to hear it as well. But so far so good and more than enough.
>> I don't want to add this, as I don't think it contains enough information to be useful in the general case.Ā The current approach offers more information and better mirrors in the JSON interface what happens in the HTML interface, and Rodauth tries to make the interfaces the same as much as possible. However, you can certainly implement this yourself using after_login.That is the point actually. If we have `mfa` is true, then we have to go those new endpoints and check the required authentication methods. If `mfa` is false then no action is required therefore no second API request can be sacrificed (response time will be lower). Much faster :) But of course, you know this better then me, so, it is your decision in the end.
As I said, first one will work for me. Second suggestion is there to save another request being sent to server. true for another request, false for OK.