libscie/researchequals-api
1
0
Fork 0
Code Issues 18 Pull requests Projects Releases Packages Activity

refactor(auth): make OTP login a two step process #33

New issue
Closed
opened 2025-07-30 14:13:57 +00:00 by chartgerink · 1 comment
chartgerink commented 2025-07-30 14:13:57 +00:00
Owner
Copy link

Currently, upon logging in we have to send the OTP directly with the request. However, in reality, we will not know whether this is needed for logging into an account. This will prove unworkable once the front end is being implemented.

New process will have to be:

  1. Client enters login
  2. Server verifies log in and either (1) sends JWT (no OTP) or (2) sends OTP challenge
  3. Client receives OTP challenge
  4. Client enters OTP code
  5. Server verifies OTP code
  6. Client receives JWT
Currently, upon logging in we have to send the OTP directly with the request. However, in reality, we will not know whether this is needed for logging into an account. This will prove unworkable once the front end is being implemented. New process will have to be: 1. Client enters login 2. Server verifies log in and either (1) sends JWT (no OTP) or (2) sends OTP challenge 2. Client receives OTP challenge 3. Client enters OTP code 4. Server verifies OTP code 5. Client receives JWT
chartgerink commented 2025-07-30 17:46:20 +00:00
Author
Owner
Copy link

This is in some more detail:

Example Flow

Client sends login request:

{
  "username": "user@example.com",
  "password": "password123"
}

Server responds with 401 if 2FA is required:

{
  "message": "2FA is required",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcjEyMyIsInRpbW1hbnN0IjoyNTQwLCJleHBpcmF0aW9uX3RpbWUiOjI1NDAsIm5vbmNlIjoicmFuZG9tX25vbmNlX3ZhbHVlIn0.abc123xyz"
}

Client sends OTP verification request:

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcjEyMyIsInRpbW1hbnN0IjoyNTQwLCJleHBpcmF0aW9uX3RpbWUiOjI1NDAsIm5vbmNlIjoicmFuZG9tX25vbmNlX3ZhbHVlIn0.abc123xyz",
  "otp": "123456"
}

Server verifies OTP and responds with JWT:

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcjEyMyIsImV4cCI6MTY1NDA3MzQwMH0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Note that we use access_token and refresh_token instead :)

This is in some more detail: ## Example Flow ### Client sends login request: ```json { "username": "user@example.com", "password": "password123" } ``` ### Server responds with 401 if 2FA is required: ```json { "message": "2FA is required", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcjEyMyIsInRpbW1hbnN0IjoyNTQwLCJleHBpcmF0aW9uX3RpbWUiOjI1NDAsIm5vbmNlIjoicmFuZG9tX25vbmNlX3ZhbHVlIn0.abc123xyz" } ``` ### Client sends OTP verification request: ```json { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcjEyMyIsInRpbW1hbnN0IjoyNTQwLCJleHBpcmF0aW9uX3RpbWUiOjI1NDAsIm5vbmNlIjoicmFuZG9tX25vbmNlX3ZhbHVlIn0.abc123xyz", "otp": "123456" } ``` ### Server verifies OTP and responds with JWT: ```json { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoidXNlcjEyMyIsImV4cCI6MTY1NDA3MzQwMH0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" } ``` --- Note that we use `access_token` and `refresh_token` instead :)
chartgerink canceled time tracking 2025-08-08 08:33:05 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
bug

Something is not working

  
critical

issues that are blocking other work, high importance + urgent

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
future

Not on the docket right now. Keeping the issue for future work.

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
critical
duplicate
enhancement
future
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: libscie/researchequals-api#33
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?