Comments (9)
There's already support for an access code, and was thinking about that for this use case. Have to noodle on it a bit, but if there is work to do to support it, it should be relatively minor/straightforward.
from gothic.
I think it would depend on the specific flow -- at signup, after signup, or on each login. 2FA is something I've been thinking about.
from gothic.
Yes, I understand how it works. My point was that supporting 2FA more than likely involves entirely new flows that don't (currently) exist. So I've been thinking about the best way to implement, because I don't think we can just tweak what we have right now to do it.
from gothic.
OK I might have misunderstood but I thought the access code stuff was more like a prerequisite for signing up. That could work for some usecases, but ideally I'd like to let users sign up with email/password (since that's lower friction), but with only limited access until they verify their mobile number. My aim is to help cut down spam on an app by e.g. preventing unverified users from posting user-generated content.
from gothic.
Oh, you mean in addition to a normal email/pw signup you want to verify the account against a mobile number?
If so, there is/should be support for that. When a user first signs up (and autoconfirm is disabled) they are in a restricted state (not confirmed or verified) which is reflected in the JWT. Once they confirm their email, they are "confirmed", but not "verified". The verified state was put in to support additional user verification flow (e.g. home address, state issued ID, mobile #, etc.).
The idea was that you can drop a user through an orthogonal post-signup flow (keyed off the restricted jwt). Upon completion of that flow, you'd mark the account as verified (and refresh the jwt).
Everything should be in place to support it, but I will have a look to make sure the API to mark an account as verified is exposed (it's been a while since I have had a look at that part).
Does that make sense? Or am I still missing what you mean?
from gothic.
p.s. this was additional functionality I added (i.e. not supported in gotrue afaik) wiw I'm not positive off the top of my head.
from gothic.
Thanks that's great. I think that means I can support all the flows I want, ideally:
- Social logins - give users full access
- Mobile number - give users full access
- Email/pw - give users partial access until they also verify with their mobile, then full access. In this flow even verifying their email address should be optional
So the mobile number could either be a primary signup method, or a verification method if they sign up with their email address. I'll dig into the docs and see what I can find. Thanks for your help.
from gothic.
I'm just wondering if the same approach could be used to implement Two-Factor Authentication using TOTP, e.g. using the OTP library of @pquerna.
from gothic.
I think it would depend on the specific flow -- at signup, after signup, or on each login. 2FA is something I've been thinking about.
Well, following common market practice, I'd say at/after signup, and on each login — unless the user allows a cookie to be stored on their browser for a certain period of time (say, 30 days) allowing logins to proceed on that browser without TOTP as 2FA...
Complicated enough? 😂
from gothic.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gothic.