1 reply

Verify TOTP before resetPassword

I use SvelteKit and have applied BetterAuth's API calls server-side. I'm using a SvelteCookie plugin to ensure these are passed to the client.

I want to solve for this use case:

User signs up, verifies their email and sets up 2FA TOTP. Later, they want to reset their password. How do I ensure their TOTP is checked before they can trigger

requestPasswordReset

requestPasswordReset

?

I cannot call

verifyTOTP

verifyTOTP

because no

TWO_FACTOR_COOKIES

TWO_FACTOR_COOKIES

are passed when they initiate their session, for example by logging in with

signInEmail

signInEmail

. We must assume the user does not know their password any longer, but both controls the email address and a TOTP authenticator setup with the TOTP secret.

The only thing I can think of is sending an OTP per email with

sendTwoFactorOTP

sendTwoFactorOTP

but that wouldn't use the user's second factor, which I've intentionally set up to be a TOTP which would ideally live on a separate device.

Thank you.

Better Auth•8mo ago•

1 reply

Budi

Verify TOTP before resetPassword

requestPasswordReset

requestPasswordReset

?

I cannot call

verifyTOTP

verifyTOTP

because no

TWO_FACTOR_COOKIES

TWO_FACTOR_COOKIES

are passed when they initiate their session, for example by logging in with

signInEmail

signInEmail

sendTwoFactorOTP

sendTwoFactorOTP

but that wouldn't use the user's second factor, which I've intentionally set up to be a TOTP which would ideally live on a separate device.

Thank you.

Verify TOTP before resetPassword

Similar Threads

Verify TOTP before resetPassword

Similar Threads

Similar Threads

Similar Threads