Current section: Two-Factor Authentication Check 6 exercises

Adding User Re-Verification for Critical Operations

Loading exercise


00:00 So it's all well and good to let users create and delete and do all sorts of stuff to all their data, but sometimes there's a really destructive operation that you want to just like really make sure. Are you sure you want to do this? Or am I sure that you're still the person that you say you are? All of that. And so even though they may have entered

00:17 their two-factor authentication code when they logged in, maybe it's been a while and we want to just double check and make sure that they really are the person that they say they are. For situations where they're changing their email or they're doing their deleting or disabling their two-factor authentication on their application.

00:35 So GitHub does this when you're doing like really destructive operations, many sites will do this. So what your task is for this exercise is actually a part one of the full task to make sure that we can re-verify the user. We need to keep track of when was the last time

00:53 they verified, and then we're also gonna make a utility that says whether we should re-verify the user if it's been too long. This is gonna require a little bit of moving around of different pieces, because as part of this re-verification process,

01:10 we're gonna go through the two-factor auth verification flow and right now that's just set up to handle when we're moving from a unverified session ID to a verified session ID. Well, this time we're not like, we're just re-verifying the session. We're not actually moving from a session ID in the verified session

01:30 to a session ID in the regular session. And so we need to like alter our handle verification utility in the login, and then also add a utility that will tell us whether or not re-verification is necessary. So there's a bit of moving things around, but I think you can do it. I'm excited for you to try.

01:49 We'll see you when you get through it.