Managing User Verification and Two-Factor Authentication
00:00 For the first part of this, we're going to be in the login route. And at first glance, you might think this is pretty easy. Oh, we just need to add a verified time in the cookie. Well, it's going to be a little bit more complicated than that. So let's take a look at this. We're going to have a verified time key right here for the value in the cookie.
00:18 And really, all that we need is just cookie session.set. And the verified time key is date.now, right? Like, that's all we need. Well, unfortunately, this handle verification is going to happen when I click on this and go over to verification and want to come back.
00:36 But it also is going to happen during login. So we've got kind of some branches that we need to do inside of this handle verification for this. So I'm going to take that. And we're going to follow the instructions here. We'll stick it right there, just like Cody said. And then we need to get the unverified session ID. So let's grab this.
00:55 We'll make this a variable. Unverified session ID. And then we may or may not have that. If we don't, then that's actually a reasonable situation, because we're just re-verifying the existing session. So we're going to say, if there's an unverified session
01:14 ID, then we're going to do all this stuff that we were doing before. So all this previous logic of swapping the unverified session into the regular session cookie. So all that is the same. But now we're going to have an else case, where if that's not what we're doing, we're just re-verifying the session.
01:33 We just need to commit our cookie session so that we're committing it with the verified time that we just set. And we'll talk about the expiration stuff here in a little bit.
01:51 So yeah, we're not making a new session or anything. OK, great. So that takes care of this piece. So it's not like a ton. But yeah, we have to consider this branching logic here. OK, so then for this should request two-factor authentication, we actually want to come right down here.
02:09 And this is just going to be moved up into that utility. So we'll say this right here. And we're going to need to get that session ID. So we're going to need to get the verify session. So const verify session is, oh, wait, verify session storage.
02:27 Get that verify session here. And we're going to grab the unverified session ID. So const unverified session ID is going to come from that. And if there is an unverified session ID, then we are in the process of verifying.
02:43 So we absolutely should request two-factor authentication. So we're going to return true for that case. OK, great. So then we get the two-factor authentication verification and return false if there's not one. So if there's not that, then we'll return false.
03:01 Now, the user ID is not going to come from the session. It's coming from the user ID that we're passing to this utility. And there we go. So if we get this far, then we need to determine what the verified time was and then see if that was over two hours ago.
03:20 Our cookie session's coming from the cookie. And our verified time comes from that cookie session. And yeah, if there's no verified time, then let's return true that they absolutely have to request two-factor authentication.
03:35 Or the way that I implemented this is we're going to say, or zero, and we'll stick a new date around this. There we go. So that basically is going to do the same thing, because if it's not in there, then this will be a date forever ago.
03:53 So let's get two hours. And that's going to be 1,000 times 60 times 60 times 2. And then we'll return if the date.now minus the verified time, get time, is over two hours ago, which is one way to do that copilot. So yeah, that works.
04:10 If it's over two hours ago, then it needs to be re-verified. OK, so that is that utility. And we can come down here and get rid of all this stuff and use that utility instead with the request and the user
04:27 ID from the session user ID. And that is everything that we need for this first half of all this. So now we're going to be keeping track of the user's verification time right here.
04:42 And then we're going to be checking that in this should request to FA, which we'll be able to use throughout the app, because we're exporting it right there. So I guess it would probably be useful to give you a quick review of this. So here we have our handle verification.
05:00 Most of this logic is unchanged. We are now setting a verified time in there. If there is an unverified session ID, then that is the login process. So we'll go proceed in that direction. If not, then we'll just commit the session so that it has the verified time in there updated, and then the rest is unchanged.
05:20 And then should request to FA. If we're in the process of verifying, then yeah, definitely need to request to FA. If there is a verification, the user has two-factor verification. If they don't, then we're going to return false. If they do, then we're going to just check that it's less than
05:38 two hours old and return true if it is over two hours old.