2 replies

2FA email login with `auth.api`: Ensure verification is completed?

Hey! When using

auth.api.signInEmail

auth.api.signInEmail

to sign in to a user with 2FA (TOTP) enabled, how do I ensure that the 2FA verification has been completed for that session? I can always say that after signing in, the user is redirected to the 2FA verification flow, but I don't see any immediate Better-Auth-native way of blocking the user from simply changing the URL and go to a different page again and thus avoid 2FA.

Should the result of the

auth.api.verifyTOTP

auth.api.verifyTOTP

perhaps be stored in the

Session

Session

table for easy look-up to ensure that the user has indeed successfully completed the verification? Or am I completely missing something here, for instance that the user shouldn't actually be logged (i.e., no Session is created) in unless they complete 2FA?

Possible quirk: I don't use the client-side authClient, I have all interactions on server-side using

auth.api.{method}

auth.api.{method}

and I've done all necessary migrations and TOTP enabling/disabling from user profile works as expected. I use fullstack SvelteKit with interactions via form actions.

Better Auth•11mo ago•

2 replies

andreasb

2FA email login with `auth.api`: Ensure verification is completed?

Hey! When using

auth.api.signInEmail

auth.api.signInEmail

auth.api.verifyTOTP

auth.api.verifyTOTP

perhaps be stored in the

Session

Session

auth.api.{method}

auth.api.{method}

and I've done all necessary migrations and TOTP enabling/disabling from user profile works as expected. I use fullstack SvelteKit with interactions via form actions.

2FA email login with `auth.api`: Ensure verification is completed?

Similar Threads

2FA email login with `auth.api`: Ensure verification is completed?

Similar Threads

Similar Threads

Similar Threads