I want to implement a 2fa system (using Google Authenticator) for my node.js application but I'm not sure if my thinking is correct.
What I have already implemented is an API with basic user login and password: the user sends a request to
POST /api/users/login
with the the required fields (email and password) at the body of the request.
The procedure so far is the following:
- Make custom input validation (e.g. email format, password length)
- If the requested user is NOT found in the db then return a 404
- If the requested user is found in the db and the given password matches the hashed password in the db then a JWT which will be generated and sent as a response header
Note: All my authorization endpoints work with JWTs. Let's say that I want to implement the 2fa using Google Authenticator.
I provide the feature to enable 2fa and the server generates a secret key (with TOTP algorithm, using speakeasy package), which will be saved at the db.
So, what I want to achieve, next time the above user tries to login there will be a screen which will provide the login information and a DIFFERENT screen where he/she will provide the 2fa code provided by Google Authenticator.
Although, at the first screen where user provides the correct email and password a JWT is returned in the headers, which is not good assuming that 2fa is an extra security step AND that with the returned JWT an unwanted person can make http requests to my server/api.
Things I've considered so far:
-
Provide email, password and 2fa code all at the same form (which will work but I would prefer a different screen for 2fa)
Is any solution described above going to work efficiently and are there any possible problems that may occur? Is there any other solution that you suggest?
via T NotAdded
No comments:
Post a Comment