Current section: Enable Two-Factor Authentication (2FA) 5 exercises

Two-Factor Authentication with TOTP Codes

Loading solution


00:00 So, to make this button work, we're going to need to go to our profile two-factor index route. Here we are, and there's the 2FA button right there that will submit to this action. So, let's get the user ID, because that's the thing that we're going to be verifying,

00:15 and then we want to generate the TOTP config that we're going to save into the database. We don't need the one-time password that it gives back to us right from the get-go. So, what we're going to do is we're going to call generate-totp. We're actually good with all the default options, so we'll leave that as it is.

00:32 And we're going to take that one-time password that it gives us. Oh, here, let's bring that in from Epic Web. So, we'll take that one-time password it gives us, and I'm just going to alias it to underscore-otp, just to kind of communicate, no, we're going to ignore this one. That's intentional. But the rest of the stuff we want, the rest of the things that are in that object,

00:52 are the configuration for the one-time password, so that we can verify one-time passwords that are created with that same configuration. Okay, so now we're going to await Prisma verification. Oh, we got to import the dbSER. There we go.

01:11 Verification.upsert. So, we're going to override, in case they already tried to enable it before, and they have an existing one, we're going to override that. So, because we're doing an upsert, we have to have a WHERE clause, and we're going to have the target type. The target will be the user ID.

01:29 And the type, this one, again, it's going to be a little interesting, because it is just like a temporary verification type. So, it's not actually our 2FA type yet. We're going to use a 2FA verification, or verify verification type,

01:47 which is actually defined over here to make that consistent. So, it's just 2FA verify. We're going to import that from there, so we can have that consistency. Okay, so if they already have one, we're going to update it. And so, in the update case, we want to have some verification data.

02:05 So, let's come up here, say verification data, and that's going to be all of our config, but we're also going to add the type, will be that 2FA verification type. The target will be the user ID. And then, we also want to have an expires at.

02:21 Even though with our two-factor authentication code, you actually never want those to expire, this one is the verify of the verification code. So, this one, we only want to have around for about 10 minutes,

02:35 while they're in the process of verifying that they can enter code for this. And so, we're going to limit that to 10 minutes. If they take longer than 10 minutes, they'll have to create a new one. Okay, so with that then, we're going to update with the verification data, and we'll create with the verification data.

02:55 So, whether we create or update, this is the state we want that to be in. And then, we'll redirect to the verify route. So, if I take a look at my database right here, look at our verifications, we got two of them happening right now.

03:13 If I go enable 2FA, and now I should be able to open that up again, and look at the verifications, and now there are three. So, we've got a 2FA verify in there that will verify our Coding user being able to submit a 2FA code, which we'll get to in the next step.

03:32 So, what we did in this one is we updated our action to get the user ID, and then we generated a time-based one-time password. We got the config that involves the secret period, digits, and algorithm. We add that to the verification data along with our type, and our target,

03:50 and an expires, or an expiration at. We update or insert, so upsert, where the target is the user ID, and the type is the two-factor verify verification type. And in any case, we're going to update that with that verification data,

04:08 and then we send them over to verify, where they're going to verify that they can indeed generate their own one-time passwords to enter into these values. So, there you go. That's the first part of this multi-part exercise.