2FA email login with `auth.api`: Ensure verification is completed?
Hey! When using
Should the result of the
Possible quirk: I don't use the client-side authClient, I have all interactions on server-side using
auth.api.signInEmail to sign in to a user with 2FA (TOTP) enabled, how do I ensure that the 2FA verification has been completed for that session? I can always say that after signing in, the user is redirected to the 2FA verification flow, but I don't see any immediate Better-Auth-native way of blocking the user from simply changing the URL and go to a different page again and thus avoid 2FA. Should the result of the
auth.api.verifyTOTP perhaps be stored in the Session table for easy look-up to ensure that the user has indeed successfully completed the verification? Or am I completely missing something here, for instance that the user shouldn't actually be logged (i.e., no Session is created) in unless they complete 2FA?Possible quirk: I don't use the client-side authClient, I have all interactions on server-side using
auth.api.{method} and I've done all necessary migrations and TOTP enabling/disabling from user profile works as expected. I use fullstack SvelteKit with interactions via form actions.