Verify TOTP before resetPassword
I use SvelteKit and have applied BetterAuth's API calls server-side. I'm using a SvelteCookie plugin to ensure these are passed to the client.
I want to solve for this use case:
User signs up, verifies their email and sets up 2FA TOTP. Later, they want to reset their password. How do I ensure their TOTP is checked before they can trigger
requestPasswordReset?
I cannot call verifyTOTPbecause no TWO_FACTOR_COOKIES are passed when they initiate their session, for example by logging in with signInEmail. We must assume the user does not know their password any longer, but both controls the email address and a TOTP authenticator setup with the TOTP secret.
The only thing I can think of is sending an OTP per email with sendTwoFactorOTP but that wouldn't use the user's second factor, which I've intentionally set up to be a TOTP which would ideally live on a separate device.
Thank you.0 Replies