2FA / TOTP "trust device" bugs
Quick summary:
- When TOTP is entered, user chooses to trust device.
-
trust_device cookie is set. Expiration date looks like it's 30 days out (docs say it should be 60)
- log out
- Log back in; TOTP is not requested (good!)
- I check the trust_device cookie; the expiration time is now set to "session". (???)
- Log out/in -> TOTP is requested (bad!)
Possibly two bugs:
1. When the user logs in and they've trusted the device, it only works once since the cookie's expiration is changed to "session" when they log in with the skip.
2. The docs say that trust device is for 60 days, but actual cookie looks to be set to 30 days. Link to docs that say: "When trustDevice is set to true, the current device will be remembered for 60 days.": https://www.better-auth.com/docs/plugins/2fa#trusted-devices
The docs say "The trust period is refreshed each time the user signs in successfully." That could be related... it was definitely refreshed, just to "session" and not a later date as expected.
I tried this on Brave and then again using Safari and the behavior was the same on both. Also, @Kon just posted this same issue in general today: https://discord.com/channels/1288403910284935179/1288403910284935182/1373638125301010442
Thanks for any help!2 Replies
I would like to follow up with the need of a "2FA trusted devices management API". Maybe when someone is looking into the bugs in this thread they can also check out this post too https://discord.com/channels/1288403910284935179/1373031179070083093. 🙏
I created a GitHub Issue for this: https://github.com/better-auth/better-auth/issues/2728