This commit is contained in:
@@ -192,21 +192,7 @@ todo: 2fa is going to be an absolute must have pretty soon, look into what's inv
|
||||
https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/3395
|
||||
|
||||
Process:
|
||||
SIGN UP
|
||||
(copied a bit from digital ocean)
|
||||
User settings has a SECURITY section where control 2fa stuff
|
||||
user chooses 2fa button to setup, a dialog pops up sends a request to server at which point a secret key for 2fa is generated and stored in the User account
|
||||
and gets back the secret to display in a qr code on screen to searching
|
||||
/auth/setup-totp
|
||||
user is redirected to a client form with the qr code displayed for teh secret
|
||||
User gets QR code then displayed to sign up with auth software
|
||||
User has to enter a valid code to save or enable 2fa fully otherwise it's not enabled if they cancel out
|
||||
until the correct code is entered it will not be enabled yet
|
||||
If user moves out of 2fa area without validating then it generates a new secret next time they go In
|
||||
|
||||
DISABLE
|
||||
user goes to user settings->Security and click on disable 2fa button which is only enabled to click when the account has 2fa already enabled
|
||||
this removes the 2fa secret from their account and sets 2fa off.
|
||||
LOGIN
|
||||
User logs in as normal, server checks if they have 2fa enabled
|
||||
if no 2fa enabled then send back token as normal
|
||||
@@ -215,6 +201,7 @@ todo: 2fa is going to be an absolute must have pretty soon, look into what's inv
|
||||
client sees it's a 2fa and redirects to a page (or login page has a "dialog") to enter 2fa 6 digit code
|
||||
temp token and 2fa 6 digit code is sent to a /verify route
|
||||
if they match / pass then the normal token is sent back and login proceeds as normal
|
||||
NO TOKEN IS SENT ON 2fa enabled account without pin verification
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user