Checking & Validating JWT Key/Content

[Dennis O'Connell]

On JSON Mode (and JWT) I successfully login via username and password:

1. When login is success I got an Access Token.  "authenticated_by" field is "password" only

2. I send a request to /otp-auth endpoint with Access Token from Step 1 in the Header field.

3. I get second Access Token from step 2 but this time "authenticated_by" field is "password" and "totp" (multiple)

4. Then I save this JWT Token in session myself:

session["test"] = jwt_token

I'm using Svelte App without default Rodauth templates, so I'm rebuilding the same login/authentication concept myself.

However, I have no idea how I'm going to validate if this JWT Token is:

1. logged_in?

2. authenticated?

Is there any method in Rodauth like:

# session["test"] is JWT Token stored by Roda app using client's POST Data on login

user = rodauth.login_from_jwt(session["test"])

user.logged_in? -> account_id

user.authenticated? -> false # however it should be true because that JWT is multi factor authenticated.

Basically, I'm trying to login and authenticate user via Svelte App by sending data to backend server and if everything is successful I'll store the JWT Token (or another?) in cookie/session so that next time user opens the login page it will remember.

Remember me feature works very well on standart Roda Views/Roda Config but on JSON API Mode I need to make my own remember_me. However, I need to check both logged_in? and authenticated? are OK inside Roda using JWT or similar approach. (Any advice would be helpful)

Note: No, I cannot use the standard HTML and Views :( Due to our application's nature it should be separated. Authentication server is fully on API Mode.

Note  2:  Does checking If "logged_in? is not nil" and "authenticated_by.length >= 2" is a correct approach? Should I check this fields myself or is there any rodauth api for this task?

[Jeremy Evans]

On Sun, Jan 21, 2024 at 10:38 PM Dennis O'Connell <denniso...@gmail.com> wrote:

Is there any method in Rodauth like:

# session["test"] is JWT Token stored by Roda app using client's POST Data on login

user = rodauth.login_from_jwt(session["test"])

No.  If you are using the JWT feature, it is expected you will be submitting the JWT in the Authorization HTTP header.  Rodauth uses the JWT data as the session.  You can override this behavior using the jwt_token configuration method.

 

user.logged_in? -> account_id

user.authenticated? -> false # however it should be true because that JWT is multi factor authenticated.

Rodauth itself doesn't have the equivalent of a user object that you are showing.  All methods are called on the rodauth object. 

 

Note  2:  Does checking If "logged_in? is not nil" and "authenticated_by.length >= 2" is a correct approach? Should I check this fields myself or is there any rodauth api for this task?

rodauth.two_factor_authenticated? should work.  If the user has setup two factor authentication, then rodauth.authenticated? will also work.

 

Thanks,

Jeremy