Current section: Verify Two-Factor Authentication (2FA) 4 exercises

Implementing Two-Factor Authentication Flow

Loading solution


00:00 Let's start out by going to login and right here in our action function we need to take a different path if the user has two-factor authentication enabled. So let's determine that. Verification

00:12 equals await prisma dot verification and we're going to find unique and we're finding unique because they can only have one two-factor code at all. So we can find the target type

00:28 and the target is going to be the user id. Now this is actually tricky because the session that we create as part of the login process that only has the id and the expiration date. So we need to actually add the user id to what we're returning or selecting here. So user id true

00:47 and that will be our target. There we go and then the type is going to be two fa verification type from our two-factor authentication route that manages that.

00:58 Okay great so now we have user has two fa is I do boolean but you do what you want to there right there. So if the verification exists then we have two-factor authentication and of course don't forget the select. We only care about the id we really just care about whether or not it exists

01:18 at all but I don't want to pull a bunch of stuff from the database unnecessarily. So there we go there. Now if the user has two-factor authentication then we're going to do all this stuff otherwise we'll do this stuff we were doing before. So this stuff doesn't change at all. There we go. So if they have two-factor authentication enabled we need to get the

01:39 verify session and we're going to get that from verify store this verify session storage and we could get it from the request cookie and that's what we've always done is get session pass the request cookie but I actually don't care about what's currently in the verify session cookie

01:58 because we're doing a new verification. I don't want to keep track of all the other stuff that's currently in the cookie. We're going to make a brand new one so I'm going to ignore that one and that will effectively swap out whatever is in the user's cookie right now for this new verification that we're going to be going through. And so you don't always want to do that

02:16 of course sometimes you actually do need to get those values but in this case we're creating a new verification flow and we don't want to have multiple flows going on at the same time that wouldn't make sense. So we're going to just say get session without passing that cookie header and that will effectively create us a new session object. Okay great so with that session I'm going

02:34 to set unverified session id to the session id that was created and it's now in an unverified state and then we also want to preserve the user's remember me checkbox because there's not a remember me checkbox on the verify route and that wouldn't really make sense anyway so

02:48 we got to preserve that somehow though and so we'll say verify session set remember me to their remember preference whatever that was set to so it's boolean or undefined. And now we need to use the get redirect to url utility from the verify route so let's grab that

03:10 and this is going to give us our redirect url so the the verify redirect url whatever you want to call that and this is going to take our request our target and our type. There we go and also our redirect to as well because remember if I let's say I'm a user with

03:32 two-factor authentication I go over to the settings profile page and I'm not logged in so that's going to send me over to login and earlier we created the ability for the redirect to to populate so that once I log in it sends me back to the settings profile page so I don't have

03:49 to do all those clicks right so that's what the redirect to is for but see now we're not finishing login and sending them right back there we're sending them over to the verify route and the verify route needs to capture that and send and then we're going to

04:04 send them once we handle the verification so we need to include that in the url that we pass to the verify route and then the verify route will send that along as part of the submission to us

04:15 so with this new redirect url we can redirect redirect the user to the redirect url and then of course we need to set the headers so we can commit this session and this is a url object

04:32 so we got a to string this thing and that is it right there so we're committing the verify session with verify session storage and we have this information that we need to communicate to the verify route which then will come right back here when we handle the verification so with

04:52 that now if I click log in that sends me to the two-factor auth verification step and we can look at our url we've got our type is 2fa and our target is my user id and if I had clicked on

05:10 or if I had a redirect to then that would show up there too so here let's try that let's see if I go to settings profile see now I've got the redirect to I say Cody, Cody loves you and that includes my type target and redirect to so that can propagate once we handle the verification

05:29 but we can't handle the verification yet because even if I happen to have the right verification code we haven't implemented handling that yet so we'll get to that in the next step quick review what we did here was we created or we first determined whether the user has

05:46 two-factor authentication enabled by checking for verification in the database if they do have it enabled then we're going to grab or create a new verify session storage object we're going to set the unverified session id and the remember me so we're just saving those

06:01 in a persistent storage place which is the browser cookie jar and then we determine where we're going to send the user to that new verify route and then we redirect the user over

06:15 there persisting our changes to the verify session and there you go that is handling the unverified session piece of this process