Redirecting Users to Re-verify for 2FA Disabling
00:00 Let's make our utility in the disable route. So that's the route that we get to when we get here. We don't even want people to be able to be here if they haven't re-verified recently. So we're going to require recent re-verification or verification in the loader as well as the action.
00:18 So let's export a function called require recent re-verification. This is going to take a request and a user ID, and this is going to be a request, is a request, and user ID is not a number. I don't know why Copilot likes IDs being numbers so much,
00:36 but please Copilot, somebody retrain Copilot. Those should not be numbers. I can't think of a very good use case for them being numbers. Okay. So now we're going to determine whether or not we should re-verify. So should re-verify, and that's going to come from should request to FA.
00:56 We're going to pass the request and the user ID to that utility we just built. If we should re-verify, then we want to get the redirect to URL from our verify route. This is going to help us construct a URL for that route. It's going to need the request, and it's also going to need a target. That's the user ID,
01:15 and the type is the two FA verification type. Redirect to is a request URL sort of works, but that includes the whole domain and everything, and that's not safe because we don't want to allow anybody to put any redirect to in that URL. So we need this to be just
01:33 the path name and also probably the search params. So let's get the rec URL is a new URL from the request.URL, and then we'll say recURL.PathName plus the search params. There we go. That will be nice and safe. Then here, this URL,
01:52 let's call this our verify URL. There we go. ToString, that thing. We don't need to re-authenticate. It's more like, let's say, please re-verify, and then we're not going to re-authenticate. You must re-verify your account before disabling to a thing.
02:10 Yeah, that works. Okay, great. So then we're going to require recent verification. I'm going to await that. We're going to pass the request and user ID. That user ID is going to come from here. Then we're going to do the same thing right
02:29 here before they actually perform the action. With that now, if I go back to this 2FA page, let's actually, yeah, let's test this. We're going to go to login and reduce this from two hours to maybe five seconds, because I don't want to wait here for two hours.
02:48 Then if I hit Disable 2FA, it should ask me to re-verify. So let's re-verify. Node OTP, copy this and submit. Now I can make it to this page. Now I'm going to wait for five seconds, and we're going to make sure that when the action happens, it's going to ask me to re-verify again.
03:05 So if somebody stayed on this page for two hours or something like that. Unlikely, but it's just good to double-check. So now if I hit Disable 2FA, and yes, I am sure, it's going to ask me to re-verify again. So now I will re-verify, will submit, and then disable. I am sure, and it's been disabled. Awesome. All right.
03:24 So let's just take a look at this util we built. We have this require recent re-verification, takes the request and the user ID. We call our shouldRequest2FA utility from the login, which, yeah, we don't want it to be five seconds anymore. We'll put it back to two hours. Then if we should re-verify, then we're going to get the request URL,
03:44 and we're going to get a redirect to URL, so that we can redirect the user to the verify. We give that the request, the target, the type, and a redirect to so that verify can send it back to us. Then we throw a redirect to that verify URL.
04:03 With all of that, we are in a pretty good place.