Setting up the 2nd factor
caution
- SuperTokens is not yet optimised for 2FA implementation, so you have to add a lot of customisations for it to work. We are working on improving the development experience for 2FA as well as adding more factors like TOPT. Stay tuned.
- A demo app that uses the pre built UI can be found on our GitHub.
#
1) InitialisationWe will be using the Passwordless recipe with SMS OTP as the second factor. You can follow the recipe's backend quick setup guide to configure a different method as well (for example with email magic links).
The Passwordless.init
function should look something like this:
- NodeJS
- GoLang
- Python
- Express
- Hapi
- Fastify
- Koa
- Loopback
- Serverless
- Next.js
- Nest.js
import supertokens from "supertokens-node";import Session from "supertokens-node/recipe/session";import ThirdPartyEmailPassword from"supertokens-node/recipe/thirdpartyemailpassword";import Passwordless from "supertokens-node/recipe/passwordless"
supertokens.init({ framework: "express", supertokens: { connectionURI: "", apiKey: "", }, appInfo: { // learn more about this on https://supertokens.com/docs/thirdpartyemailpassword/appinfo appName: "<YOUR_APP_NAME>", apiDomain: "<YOUR_API_DOMAIN>", websiteDomain: "<YOUR_WEBSITE_DOMAIN>", apiBasePath: "/auth", websiteBasePath: "/auth" }, recipeList: [ Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE" }), ThirdPartyEmailPassword.init({/*...*/}), Session.init({/*Override from previous step*/}) ]});
import supertokens from "supertokens-node";import Session from "supertokens-node/recipe/session";import ThirdPartyEmailPassword from"supertokens-node/recipe/thirdpartyemailpassword";import Passwordless from "supertokens-node/recipe/passwordless"
supertokens.init({ framework: "hapi", supertokens: { connectionURI: "", apiKey: "", }, appInfo: { // learn more about this on https://supertokens.com/docs/session/appinfo appName: "<YOUR_APP_NAME>", apiDomain: "<YOUR_API_DOMAIN>", websiteDomain: "<YOUR_WEBSITE_DOMAIN>", apiBasePath: "/auth", websiteBasePath: "/auth" }, recipeList: [ Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE" }), ThirdPartyEmailPassword.init({/*...*/}), Session.init({ /*Override from previous step*/ }) ]});
import supertokens from "supertokens-node";import Session from "supertokens-node/recipe/session";import ThirdPartyEmailPassword from"supertokens-node/recipe/thirdpartyemailpassword";import Passwordless from "supertokens-node/recipe/passwordless"
supertokens.init({ framework: "fastify", supertokens: { connectionURI: "", apiKey: "", }, appInfo: { // learn more about this on https://supertokens.com/docs/session/appinfo appName: "<YOUR_APP_NAME>", apiDomain: "<YOUR_API_DOMAIN>", websiteDomain: "<YOUR_WEBSITE_DOMAIN>", apiBasePath: "/auth", websiteBasePath: "/auth" }, recipeList: [ Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE" }), ThirdPartyEmailPassword.init({/*...*/}), Session.init({/*Override from previous step*/}) ]});
import supertokens from "supertokens-node";import Session from "supertokens-node/recipe/session";import ThirdPartyEmailPassword from"supertokens-node/recipe/thirdpartyemailpassword";import Passwordless from "supertokens-node/recipe/passwordless"
supertokens.init({ framework: "koa", supertokens: { connectionURI: "", apiKey: "", }, appInfo: { // learn more about this on https://supertokens.com/docs/session/appinfo appName: "<YOUR_APP_NAME>", apiDomain: "<YOUR_API_DOMAIN>", websiteDomain: "<YOUR_WEBSITE_DOMAIN>", apiBasePath: "/auth", websiteBasePath: "/auth" }, recipeList: [ Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE" }), ThirdPartyEmailPassword.init({/*...*/}), Session.init({/*Override from previous step*/}) ]});
import supertokens from "supertokens-node";import Session from "supertokens-node/recipe/session";import ThirdPartyEmailPassword from"supertokens-node/recipe/thirdpartyemailpassword";import Passwordless from "supertokens-node/recipe/passwordless"
supertokens.init({ framework: "loopback", supertokens: { connectionURI: "", apiKey: "", }, appInfo: { // learn more about this on https://supertokens.com/docs/session/appinfo appName: "<YOUR_APP_NAME>", apiDomain: "<YOUR_API_DOMAIN>", websiteDomain: "<YOUR_WEBSITE_DOMAIN>", apiBasePath: "/auth", websiteBasePath: "/auth" }, recipeList: [ Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE" }), ThirdPartyEmailPassword.init({/*...*/}), Session.init({/*Override from previous step*/}) ]});
important
Please refer the Serverless Deployment section in the Passwordless recipe guide
important
Please refer the NextJS section in the Passwordless recipe guide
important
Please refer the NestJS section in the Passwordless recipe guide
import ( "github.com/supertokens/supertokens-golang/recipe/passwordless" "github.com/supertokens/supertokens-golang/recipe/passwordless/plessmodels" "github.com/supertokens/supertokens-golang/recipe/session" "github.com/supertokens/supertokens-golang/recipe/session/sessmodels" "github.com/supertokens/supertokens-golang/recipe/thirdpartyemailpassword" "github.com/supertokens/supertokens-golang/recipe/thirdpartyemailpassword/tpepmodels" "github.com/supertokens/supertokens-golang/supertokens")
func main() { apiBasePath := "/auth" websiteBasePath := "/auth" err := supertokens.Init(supertokens.TypeInput{ Supertokens: &supertokens.ConnectionInfo{ ConnectionURI: "", APIKey: "", }, AppInfo: supertokens.AppInfo{ AppName: "<YOUR_APP_NAME>", APIDomain: "<YOUR_API_DOMAIN>", WebsiteDomain: "<YOUR_WEBSITE_DOMAIN>", APIBasePath: &apiBasePath, WebsiteBasePath: &websiteBasePath, }, RecipeList: []supertokens.Recipe{ passwordless.Init(plessmodels.TypeInput{ FlowType: "USER_INPUT_CODE", ContactMethodPhone: plessmodels.ContactMethodPhoneConfig{ Enabled: true, }, }), thirdpartyemailpassword.Init(&tpepmodels.TypeInput{/*...*/}), session.Init(&sessmodels.TypeInput{ /*Override from previous step*/ }), }, })
if err != nil { panic(err.Error()) }}
- FastAPI
- Flask
- Django
from supertokens_python import init, InputAppInfo, SupertokensConfigfrom supertokens_python.recipe import thirdpartyemailpassword, session, passwordlessfrom supertokens_python.recipe.passwordless import ContactPhoneOnlyConfig
init( app_info=InputAppInfo( app_name="<YOUR_APP_NAME>", api_domain="<YOUR_API_DOMAIN>", website_domain="<YOUR_WEBSITE_DOMAIN>", api_base_path="/auth", website_base_path="/auth" ), supertokens_config=SupertokensConfig( connection_uri="", api_key="" ), framework='fastapi', recipe_list=[ session.init(), # contains the override from the previous step thirdpartyemailpassword.init( # ... ), passwordless.init( flow_type="USER_INPUT_CODE", contact_config=ContactPhoneOnlyConfig() ) ], mode='asgi' # use wsgi if you are running using gunicorn)
from supertokens_python import init, InputAppInfo, SupertokensConfigfrom supertokens_python.recipe import thirdpartyemailpassword, session, passwordlessfrom supertokens_python.recipe.passwordless import ContactPhoneOnlyConfig
init( app_info=InputAppInfo( app_name="<YOUR_APP_NAME>", api_domain="<YOUR_API_DOMAIN>", website_domain="<YOUR_WEBSITE_DOMAIN>", api_base_path="/auth", website_base_path="/auth" ), supertokens_config=SupertokensConfig( connection_uri="", api_key="" ), framework='flask', recipe_list=[ session.init(), # contains the override from the previous step thirdpartyemailpassword.init( # ... ), passwordless.init( flow_type="USER_INPUT_CODE", contact_config=ContactPhoneOnlyConfig() ) ])
from supertokens_python import init, InputAppInfo, SupertokensConfigfrom supertokens_python.recipe import thirdpartyemailpassword, session, passwordlessfrom supertokens_python.recipe.passwordless import ContactPhoneOnlyConfig
init( app_info=InputAppInfo( app_name="<YOUR_APP_NAME>", api_domain="<YOUR_API_DOMAIN>", website_domain="<YOUR_WEBSITE_DOMAIN>", api_base_path="/auth", website_base_path="/auth" ), supertokens_config=SupertokensConfig( connection_uri="", api_key="" ), framework='django', recipe_list=[ session.init(), # contains the override from the previous step thirdpartyemailpassword.init( # ... ), passwordless.init( flow_type="USER_INPUT_CODE", contact_config=ContactPhoneOnlyConfig() ) ], mode='asgi' # use wsgi if you are running django server in sync mode)
The above will expose all the APIs to the frontend that can be used to create and verify the OTP.
#
2) Saving the user's phone number post second factor authDuring sign up, once the user has completed the second factor, we want to save their phone number against their profile. For this, we will use the UserMetadata
recipe.
important
Make sure to add the User Metadata in the recipe list.
The passwordless recipe will create a new userId
for the user against which it will save the phone number. We can associate the passwordless userId
with the userId
of the first factor, and this way, we associate a phone number to the user:
- NodeJS
- GoLang
- Python
import Session from "supertokens-node/recipe/session";import UserMetadata from "supertokens-node/recipe/usermetadata";import Passwordless from "supertokens-node/recipe/passwordless";
Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE", override: { apis: (oI) => { return { ...oI, // this API is called when the user enters the OTP consumeCodePOST: async function (input) { // - We should already have a session here since this is called after first factor login // - We set the claims to check to be [] here, since this needs to be callable // without the second factor completed let session = await Session.getSession(input.options.req, input.options.res, { overrideGlobalClaimValidators: () => [], }); let resp = await oI.consumeCodePOST!(input);
if (resp.status === "OK") { // OTP verification was successful. We can now associate // the passwordless user ID with the thirdpartyemailpassword // user ID, so that later on, we can fetch the phone number. await UserMetadata.updateUserMetadata( session!.getUserId(), // this is the userId of the first factor login { passwordlessUserId: resp.user.id, } ); }
return resp; }, }; }, }})
import ( "github.com/supertokens/supertokens-golang/recipe/passwordless" "github.com/supertokens/supertokens-golang/recipe/passwordless/plessmodels" "github.com/supertokens/supertokens-golang/recipe/session" "github.com/supertokens/supertokens-golang/recipe/session/claims" "github.com/supertokens/supertokens-golang/recipe/session/sessmodels" "github.com/supertokens/supertokens-golang/recipe/usermetadata" "github.com/supertokens/supertokens-golang/supertokens")
func main() { passwordless.Init(plessmodels.TypeInput{ FlowType: "USER_INPUT_CODE", ContactMethodPhone: plessmodels.ContactMethodPhoneConfig{ Enabled: true, }, Override: &plessmodels.OverrideStruct{ APIs: func(originalImplementation plessmodels.APIInterface) plessmodels.APIInterface { // this API is called when the user enters the OTP oConsumeCodePOST := *originalImplementation.ConsumeCodePOST nConsumeCodePost := func(userInput *plessmodels.UserInputCodeWithDeviceID, linkCode *string, preAuthSessionID string, options plessmodels.APIOptions, userContext supertokens.UserContext) (plessmodels.ConsumeCodePOSTResponse, error) { // - We should already have a session here since this is called // after first factor login // - We set the claims to check to be [] here, since this needs to be callable // without the second factor completed session, err := session.GetSession(options.Req, options.Res, &sessmodels.VerifySessionOptions{ OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) { return []claims.SessionClaimValidator{}, nil }, }) if err != nil { return plessmodels.ConsumeCodePOSTResponse{}, err }
resp, err := oConsumeCodePOST(userInput, linkCode, preAuthSessionID, options, userContext) if err != nil { return resp, err }
if resp.OK != nil { // OTP verification was successful. We can now associate // the passwordless user ID with the thirdpartyemailpassword // user ID, so that later on, we can fetch the phone number. usermetadata.UpdateUserMetadata( session.GetUserID(), map[string]interface{}{ "passwordlessUserId": resp.OK.User.ID, }, ) } return resp, err } *originalImplementation.ConsumeCodePOST = nConsumeCodePost return originalImplementation }, }, })}
from supertokens_python.recipe.passwordless.interfaces import APIInterface, APIOptions, ConsumeCodePostOkResultfrom typing import Union, Dict, Anyfrom supertokens_python.recipe.session.asyncio import get_sessionfrom supertokens_python.recipe.usermetadata.asyncio import update_user_metadatafrom supertokens_python.recipe import passwordless
def override_passwordless_apis(original_implementation: APIInterface): original_consume_code_post = original_implementation.consume_code_post
async def consume_code_post( pre_auth_session_id: str, user_input_code: Union[str, None], device_id: Union[str, None], link_code: Union[str, None], api_options: APIOptions, user_context: Dict[str, Any], ): # this API is called when the user enters the OTP
# we should already have a session here since this is called # after first factor login _session = await get_session(api_options.request) assert _session is not None
res = await original_consume_code_post( pre_auth_session_id, user_input_code, device_id, link_code, api_options, user_context, )
if isinstance(res, ConsumeCodePostOkResult): # OTP verification was successful. We can now associate # the passwordless user ID with the thirdpartyemailpassword # user ID, so that later on, we can fetch the phone number. await update_user_metadata( _session.get_user_id(), # this is the userId of the first factor login {"passwordlessUserId": res.user.user_id} )
return res
original_implementation.consume_code_post = consume_code_post return original_implementation
passwordless.init( flow_type="USER_INPUT_CODE", contact_config=passwordless.ContactPhoneOnlyConfig(), override=passwordless.InputOverrideConfig( apis=override_passwordless_apis ),)
#
3) Updating the session post second factor authWe also want to change the session's payload to indicate that the user has completed the second factor. We do this by setting the SecondFactorClaim
to true
in the session.
We also have to be careful about not creating a new session after the second factor auth is completed. By default, the passwordless recipe will create a new session on successul verification, overwriting the older one. We can prevent this, by using the userContext
feature:
- NodeJS
- GoLang
- Python
import Session from "supertokens-node/recipe/session";import UserMetadata from "supertokens-node/recipe/usermetadata";import Passwordless from "supertokens-node/recipe/passwordless";
Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE", override: { apis: (oI) => { return { ...oI, // this API is called when the user enters the OTP consumeCodePOST: async function (input) { // A session should already exist since this should be called after the first factor is completed. // We set the claims to check to be [] here, since this needs to be callable // without the second factor completed let session = await Session.getSession(input.options.req, input.options.res, { overrideGlobalClaimValidators: () => [], }); // we add the existing session to the user context so that the createNewSession // function doesn't create a new session input.userContext.session = session;
let resp = await oI.consumeCodePOST!(input);
if (resp.status === "OK") { // OTP verification was successful. // We can now set the SecondFactorClaim in the session to true. // the user has access to API routes and the frontend UI await resp.session.setClaimValue(SecondFactorClaim, true);
// We can now associate // the passwordless user ID with the thirdpartyemailpassword // user ID, so that later on, we can fetch the phone number. await UserMetadata.updateUserMetadata( session!.getUserId(), // this is the userId of the first factor login { passwordlessUserId: resp.user.id, } ); }
return resp; }, }; }, }})
Session.init({ override: { functions: (originalImplementation) => { return { ...originalImplementation, /* This function is called after signing in or signing up via the first factor */ createNewSession: async function (input) { if (input.userContext.session !== undefined) { /** * This will be true for the second factor login. * So instead of creating a new session, we return the already existing one. */ return input.userContext.session; } return originalImplementation.createNewSession({ ...input, accessTokenPayload: { ...input.accessTokenPayload, ...(await SecondFactorClaim.build(input.userId, input.userContext)), }, }); }, }; }, },})
import ( "net/http"
"github.com/supertokens/supertokens-golang/recipe/passwordless" "github.com/supertokens/supertokens-golang/recipe/passwordless/plessmodels" "github.com/supertokens/supertokens-golang/recipe/session" "github.com/supertokens/supertokens-golang/recipe/session/claims" "github.com/supertokens/supertokens-golang/recipe/session/sessmodels" "github.com/supertokens/supertokens-golang/recipe/usermetadata" "github.com/supertokens/supertokens-golang/supertokens")
func main() { SecondFactorClaim, _ := claims.BooleanClaim("2fa-completed", func(userId string, userContext supertokens.UserContext) (interface{}, error) { return false, nil }, nil)
passwordless.Init(plessmodels.TypeInput{ FlowType: "USER_INPUT_CODE", ContactMethodPhone: plessmodels.ContactMethodPhoneConfig{ Enabled: true, }, Override: &plessmodels.OverrideStruct{ APIs: func(originalImplementation plessmodels.APIInterface) plessmodels.APIInterface { // this API is called when the user enters the OTP oConsumeCodePOST := *originalImplementation.ConsumeCodePOST nConsumeCodePost := func(userInput *plessmodels.UserInputCodeWithDeviceID, linkCode *string, preAuthSessionID string, options plessmodels.APIOptions, userContext supertokens.UserContext) (plessmodels.ConsumeCodePOSTResponse, error) { // - We should already have a session here since this is called // after first factor login // - We set the claims to check to be [] here, since this needs to be callable // without the second factor completed session, err := session.GetSession(options.Req, options.Res, &sessmodels.VerifySessionOptions{ OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) { return []claims.SessionClaimValidator{}, nil }, }) if err != nil { return plessmodels.ConsumeCodePOSTResponse{}, err }
// we add the existing session to the user context so that the createNewSession // function doesn't create a new session (*userContext)["session"] = session
resp, err := oConsumeCodePOST(userInput, linkCode, preAuthSessionID, options, userContext) if err != nil { return resp, err }
if resp.OK != nil { // OTP verification was successful. We can now mark the // session's payload as is2faComplete: true so that // the user has access to API routes and the frontend UI resp.OK.Session.SetClaimValue(SecondFactorClaim, true)
// We can now associate // the passwordless user ID with the thirdpartyemailpassword // user ID, so that later on, we can fetch the phone number. usermetadata.UpdateUserMetadata( session.GetUserID(), map[string]interface{}{ "passwordlessUserId": resp.OK.User.ID, }, ) } return resp, err } *originalImplementation.ConsumeCodePOST = nConsumeCodePost return originalImplementation }, }, })
session.Init(&sessmodels.TypeInput{ Override: &sessmodels.OverrideStruct{ Functions: func(originalImplementation sessmodels.RecipeInterface) sessmodels.RecipeInterface { oCreateNewSession := *originalImplementation.CreateNewSession /* This function is called after signing in or signing up via the first factor */ nCreateNewSession := func(res http.ResponseWriter, userID string, accessTokenPayload map[string]interface{}, sessionData map[string]interface{}, userContext supertokens.UserContext) (sessmodels.SessionContainer, error) { if session, ok := (*userContext)["session"].(sessmodels.SessionContainer); ok { /** * This will be true for the second factor login. * So instead of creating a new session, we return the already existing one. */ return session, nil }
if accessTokenPayload == nil { accessTokenPayload = map[string]interface{}{} } accessTokenPayload, err := SecondFactorClaim.Build(userID, accessTokenPayload, userContext) if err != nil { return nil, err } return oCreateNewSession(res, userID, accessTokenPayload, sessionData, userContext) } *originalImplementation.CreateNewSession = nCreateNewSession return originalImplementation }, }, })}
from supertokens_python.recipe.passwordless.interfaces import APIInterface, APIOptions, ConsumeCodePostOkResultfrom typing import Union, Dict, Anyfrom supertokens_python.recipe.session.asyncio import get_sessionfrom supertokens_python.recipe.usermetadata.asyncio import update_user_metadatafrom supertokens_python.recipe.session.interfaces import SessionContainer, RecipeInterfacefrom supertokens_python.recipe.session.claims import BooleanClaim
SecondFactorClaim = BooleanClaim( key="2fa-completed", fetch_value=lambda _, __: False)
def override_passwordless_apis(original_implementation: APIInterface): original_consume_code_post = original_implementation.consume_code_post
async def consume_code_post( pre_auth_session_id: str, user_input_code: Union[str, None], device_id: Union[str, None], link_code: Union[str, None], api_options: APIOptions, user_context: Dict[str, Any], ): # this API is called when the user enters the OTP
# A session should already exist since this should be called after the first factor is completed. # We set the claims to check to be [] here, since this needs to be callable # without the second factor completed _session = await get_session(api_options.request, override_global_claim_validators=lambda _, __, ___: []) assert _session is not None
# we should add the existing session to the user_context # so that the create_new_session function # doesn't create a new session user_context["session"] = _session
res = await original_consume_code_post( pre_auth_session_id, user_input_code, device_id, link_code, api_options, user_context, )
if isinstance(res, ConsumeCodePostOkResult): # OTP verification was successful. We can now mark the # session's payload as {"is2faComplete": True} so that # the user has access to API routes and the frontend UI await _session.set_claim_value(SecondFactorClaim, True)
# We can now associate # the passwordless user ID with the thirdpartyemailpassword # user ID, so that later on, we can fetch the phone number. await update_user_metadata( _session.get_user_id(), # userId of the first factor login {"passwordlessUserId": res.user.user_id} )
return res
original_implementation.consume_code_post = consume_code_post return original_implementation
def override_session_functions(original_implementation: RecipeInterface): original_create_new_session = original_implementation.create_new_session
async def create_new_session( request: Any, user_id: str, access_token_payload: Union[None, Dict[str, Any]], session_data: Union[None, Dict[str, Any]], user_context: Dict[str, Any], ): # This function is called after signing in or # signing up via the first factor
_session = user_context.get("session") if _session and isinstance(_session, SessionContainer): # This will be true for the second factor login. # So instead of creating a new session, we return the already existing one. return _session
if access_token_payload is None: access_token_payload = {}
access_token_payload = {**access_token_payload, **(await SecondFactorClaim.build(user_id, user_context))} return await original_create_new_session( request, user_id, access_token_payload, session_data, user_context )
original_implementation.create_new_session = create_new_session return original_implementation
#
4) Validating the phone numberBy default, the Passwordless API for sending an OTP (createCodePOST
) sends the OTP to the input phone number, and if we don't modify that, the attack below is be possible:
- Alice (user) signs up using a weak password and their phone number.
- Mallory (attacker) successfully guesses Alice's password and queries the OTP sending API manually, to inject her phone number for the second factor auth.
- OTP is sent to Mallory's phone number and she can pass the second factor challenge.
To make it secure, we override the createCodePOST
API and check that the input phone number is the same as the phone number associated with the user. If it's not the same, we throw an error, and if it is the same, we continue:
- NodeJS
- GoLang
- Python
import Session from "supertokens-node/recipe/session";import UserMetadata from "supertokens-node/recipe/usermetadata";import Passwordless from "supertokens-node/recipe/passwordless";
Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE", override: { apis: (oI) => { return { ...oI, /*This API is called to send an OTP*/ createCodePOST: async function (input) { /** * We want to make sure that the OTP being generated is for the * same number that belongs to this user. */
// A session should already exist since this should be called after the first factor is completed. // We set the claims to check to be [] here, since this needs to be callable // without the second factor completed let session = await Session.getSession(input.options.req, input.options.res, { overrideGlobalClaimValidators: () => [], });
// We try and get the phone number associated with this user. It will be // defined if this is a sign in attempt, in which case, we will check that // it is equal to the input phone number let userMetadata = await UserMetadata.getUserMetadata(session!.getUserId()); let phoneNumber: string | undefined = undefined; if (userMetadata.metadata.passwordlessUserId !== undefined) { // the flow will come here during a login attempt, since we // associate the passwordless userId to the user on sign up let passwordlessUserInfo = await Passwordless.getUserById({ userId: userMetadata.metadata.passwordlessUserId as string, userContext: input.userContext, }); phoneNumber = passwordlessUserInfo?.phoneNumber; }
if (phoneNumber !== undefined) { // this means we found a phone number associated to this user. // we will check if the input phone number is the same as this one. if (!("phoneNumber" in input) || input.phoneNumber !== phoneNumber) { throw new Error("Input phone number is not the same as the one saved for this user"); } }
return oI.createCodePOST!(input); }, consumeCodePOST: async function (input) { /*...Modifications from previous step */ let resp = await oI.consumeCodePOST!(input); /*...Modifications from previous step */ return resp; }, }; }, }})
import ( "errors"
"github.com/supertokens/supertokens-golang/recipe/passwordless" "github.com/supertokens/supertokens-golang/recipe/passwordless/plessmodels" "github.com/supertokens/supertokens-golang/recipe/session" "github.com/supertokens/supertokens-golang/recipe/session/claims" "github.com/supertokens/supertokens-golang/recipe/session/sessmodels" "github.com/supertokens/supertokens-golang/recipe/usermetadata" "github.com/supertokens/supertokens-golang/supertokens")
func main() { passwordless.Init(plessmodels.TypeInput{ FlowType: "USER_INPUT_CODE", ContactMethodPhone: plessmodels.ContactMethodPhoneConfig{ Enabled: true, }, Override: &plessmodels.OverrideStruct{ APIs: func(originalImplementation plessmodels.APIInterface) plessmodels.APIInterface { /*This API is called to send an OTP*/ oCreateCodePOST := *originalImplementation.CreateCodePOST nCreateCodePOST := func(email *string, phoneNumber *string, options plessmodels.APIOptions, userContext supertokens.UserContext) (plessmodels.CreateCodePOSTResponse, error) { /** * We want to make sure that the OTP being generated is for the * same number that belongs to this user. */
// A session should already exist since this should be called after the first factor is completed. // We set the claims to check to be [] here, since this needs to be callable // without the second factor completed session, err := session.GetSession(options.Req, options.Res, &sessmodels.VerifySessionOptions{ OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) { return []claims.SessionClaimValidator{}, nil }, }) if err != nil { return plessmodels.CreateCodePOSTResponse{}, err }
// We try and get the phone number associated with this user. It will be // defined if this is a sign in attempt, in which case, we will check that // it is equal to the input phone number userMetadata, err := usermetadata.GetUserMetadataWithContext(session.GetUserID(), userContext) if err != nil { return plessmodels.CreateCodePOSTResponse{}, err } var userPhoneNumber *string if passwordlessUserId, ok := userMetadata["passwordlessUserId"].(string); ok { // the flow will come here during a login attempt, since we // associate the passwordless userId to the user on sign up passwordlessUserInfo, err := passwordless.GetUserByIDWithContext(passwordlessUserId, userContext) if err != nil { return plessmodels.CreateCodePOSTResponse{}, err } userPhoneNumber = passwordlessUserInfo.PhoneNumber } if userPhoneNumber != nil { // this means we found a phone number associated to this user. // we will check if the input phone number is the same as this one. if phoneNumber == nil || *phoneNumber != *userPhoneNumber { return plessmodels.CreateCodePOSTResponse{}, errors.New("Input phone number is not the same as the one saved for this user") } }
return oCreateCodePOST(email, phoneNumber, options, userContext) } *originalImplementation.CreateCodePOST = nCreateCodePOST
oConsumeCodePOST := *originalImplementation.ConsumeCodePOST nConsumeCodePost := func(userInput *plessmodels.UserInputCodeWithDeviceID, linkCode *string, preAuthSessionID string, options plessmodels.APIOptions, userContext supertokens.UserContext) (plessmodels.ConsumeCodePOSTResponse, error) { /*...mofications from previous step */ resp, err := oConsumeCodePOST(userInput, linkCode, preAuthSessionID, options, userContext) /*...mofications from previous step */ return resp, err } *originalImplementation.ConsumeCodePOST = nConsumeCodePost
return originalImplementation }, }, })}
from supertokens_python.recipe.passwordless.interfaces import APIInterface, APIOptionsfrom typing import Union, Dict, Any, Optionalfrom supertokens_python.recipe.session.asyncio import get_sessionfrom supertokens_python.recipe.usermetadata.asyncio import get_user_metadatafrom supertokens_python.recipe.passwordless.asyncio import get_user_by_id
def override_passwordless_apis(original_implementation: APIInterface): original_consume_code_post = original_implementation.consume_code_post original_create_code_post = original_implementation.create_code_post
async def create_code_post( email: Union[str, None], phone_number: Union[str, None], api_options: APIOptions, user_context: Dict[str, Any], ): # This API is called to send an OTP
# We want to make sure that the OTP being generated is for the # same number that belongs to this user.
# A session should already exist since this should be called after the first factor is completed. # We set the claims to check to be [] here, since this needs to be callable # without the second factor completed _session = await get_session(api_options.request, override_global_claim_validators=lambda _, __, ___: []) assert _session is not None
# We try to get the phone number associated with this user. It will be # defined if this is a sign in attempt, in which case, we will check that # it is equal to the input phone number user_metadata = await get_user_metadata(_session.get_user_id()) user_metadata_phone_number: Optional[str] = None if user_metadata.metadata.get("passwordlessUserId"): # the flow will come here during a login attempt, since we # associate the passwordless userId to the user on sign up passwordless_user_info = await get_user_by_id( user_metadata.metadata["passwordlessUserId"], user_context ) if passwordless_user_info is not None: user_metadata_phone_number = passwordless_user_info.phone_number
if user_metadata_phone_number is not None: # this means we found a phone number associated to this user # we will check if the input phone number is the same as this one. if (phone_number is None) or (phone_number != user_metadata_phone_number): raise Exception( "Input phone number is not the same as the one saved for this user" )
return await original_create_code_post( email, phone_number, api_options, user_context )
async def consume_code_post( pre_auth_session_id: str, user_input_code: Union[str, None], device_id: Union[str, None], link_code: Union[str, None], api_options: APIOptions, user_context: Dict[str, Any], ): # ...Modifications from previous step res = await original_consume_code_post( pre_auth_session_id, user_input_code, device_id, link_code, api_options, user_context, ) # ...Modifications from previous step return res
original_implementation.create_code_post = create_code_post original_implementation.consume_code_post = consume_code_post return original_implementation
#
5) Storing the user's phone number in the sessionWhen the session is first created (after the first factor is completed), we store the user's phone number in the session (if it exists), so that the frontend can call the createCodePOST
API (to intiate the second factor challenge) without asking the user for their phone number again.
We do this by modifying the createNewSession
function in the Session.init
call:
- NodeJS
- GoLang
- Python
import Session from "supertokens-node/recipe/session";import UserMetadata from "supertokens-node/recipe/usermetadata";import Passwordless from "supertokens-node/recipe/passwordless";
Session.init({ override: { functions: (originalImplementation) => { return { ...originalImplementation, /* This function is called after signing in or signing up via the first factor */ createNewSession: async function (input) { if (input.userContext.session !== undefined) { /** * This will be true for the second factor login. * So instead of creating a new session, we return the already existing one. */ return input.userContext.session; }
// we first get the passwordless userId associated with this user // using the UserMetadata recipe let userMetadata = await UserMetadata.getUserMetadata(input.userId); let phoneNumber: string | undefined = undefined; if (userMetadata.metadata.passwordlessUserId !== undefined) { // We get the phone number associated with the passwordless userId. let passwordlessUserInfo = await Passwordless.getUserById({ userId: userMetadata.metadata.passwordlessUserId as string, userContext: input.userContext, }); phoneNumber = passwordlessUserInfo?.phoneNumber; }
return originalImplementation.createNewSession({ ...input, accessTokenPayload: { ...input.accessTokenPayload, ...(await SecondFactorClaim.build(input.userId, input.userContext)), phoneNumber, }, }); }, }; }, },})
import ( "net/http"
"github.com/supertokens/supertokens-golang/recipe/passwordless" "github.com/supertokens/supertokens-golang/recipe/session" "github.com/supertokens/supertokens-golang/recipe/session/claims" "github.com/supertokens/supertokens-golang/recipe/session/sessmodels" "github.com/supertokens/supertokens-golang/recipe/usermetadata" "github.com/supertokens/supertokens-golang/supertokens")
func main() { SecondFactorClaim, _ := claims.BooleanClaim("2fa-completed", func(userId string, userContext supertokens.UserContext) (interface{}, error) { return false, nil }, nil)
session.Init(&sessmodels.TypeInput{ Override: &sessmodels.OverrideStruct{ Functions: func(originalImplementation sessmodels.RecipeInterface) sessmodels.RecipeInterface { oCreateNewSession := *originalImplementation.CreateNewSession /* This function is called after signing in or signing up via the first factor */ nCreateNewSession := func(res http.ResponseWriter, userID string, accessTokenPayload map[string]interface{}, sessionData map[string]interface{}, userContext supertokens.UserContext) (sessmodels.SessionContainer, error) { if session, ok := (*userContext)["session"].(sessmodels.SessionContainer); ok { /** * This will be true for the second factor login. * So instead of creating a new session, we return the already existing one. */ return session, nil }
// we first get the passwordless userId associated with this user // using the UserMetadata recipe userMetadata, err := usermetadata.GetUserMetadataWithContext(userID, userContext) if err != nil { return nil, err } var userPhoneNumber *string if passwordlessUserId, ok := userMetadata["passwordlessUserId"].(string); ok { passwordlessUserInfo, err := passwordless.GetUserByIDWithContext(passwordlessUserId, userContext) if err != nil { return nil, err } userPhoneNumber = passwordlessUserInfo.PhoneNumber }
if accessTokenPayload == nil { accessTokenPayload = map[string]interface{}{} } accessTokenPayload, err = SecondFactorClaim.Build(userID, accessTokenPayload, userContext) if err != nil { return nil, err } if userPhoneNumber != nil { accessTokenPayload["phoneNumber"] = *userPhoneNumber } return oCreateNewSession(res, userID, accessTokenPayload, sessionData, userContext) } *originalImplementation.CreateNewSession = nCreateNewSession return originalImplementation }, }, })}
from typing import Union, Dict, Any, Optionalfrom supertokens_python.recipe.usermetadata.asyncio import get_user_metadatafrom supertokens_python.recipe.passwordless.asyncio import get_user_by_idfrom supertokens_python.recipe.session.interfaces import SessionContainer, RecipeInterfacefrom supertokens_python.recipe.session.claims import BooleanClaim
SecondFactorClaim = BooleanClaim( key="2fa-completed", fetch_value=lambda _, __: False)
def override_session_functions(original_implementation: RecipeInterface): original_create_new_session = original_implementation.create_new_session
async def create_new_session( request: Any, user_id: str, access_token_payload: Union[None, Dict[str, Any]], session_data: Union[None, Dict[str, Any]], user_context: Dict[str, Any], ): # This function is called after signing in # or signing up via the first factor
_session = user_context.get("session") if _session and isinstance(_session, SessionContainer): # This will be true for the second factor login. # So instead of creating a new session, we return the already existing one. return _session
if access_token_payload is None: access_token_payload = {}
# we first get the passwordless user id associated with this user # using the user_metadata recipe user_metadata = await get_user_metadata(user_id) phone_number: Optional[str] = None if user_metadata.metadata.get("passwordlessUserId") is not None: # We get the phone number associated with the passwordless userId passwordless_user_info = await get_user_by_id( user_metadata.metadata["passwordlessUserId"], user_context ) if passwordless_user_info is not None: phone_number = passwordless_user_info.phone_number
# Insert "is2faComplete" and "phoneNumber" in the access token payload access_token_payload = { **access_token_payload, **(await SecondFactorClaim.build(user_id, user_context)), "phoneNumber": phone_number, } return await original_create_new_session( request, user_id, access_token_payload, session_data, user_context )
original_implementation.create_new_session = create_new_session return original_implementation
We can then further modify the customisation in step (4) to simply read from the session's payload making it more efficient:
- NodeJS
- GoLang
- Python
import Session from "supertokens-node/recipe/session";import UserMetadata from "supertokens-node/recipe/usermetadata";import Passwordless from "supertokens-node/recipe/passwordless";
Passwordless.init({ flowType: "USER_INPUT_CODE", contactMethod: "PHONE", override: { apis: (oI) => { return { ...oI, /*This API is called to send an OTP*/ createCodePOST: async function (input) { /** * We want to make sure that the OTP being generated is for the * same number that belongs to this user. */
// A session should already exist since this should be called after the first factor is completed. // We remove claim checking here, since this needs to be callable without the second factor completed let session = await Session.getSession(input.options.req, input.options.res, { overrideGlobalClaimValidators: () => [], });
let phoneNumber: string = session!.getAccessTokenPayload().phoneNumber;
if (phoneNumber !== undefined) { // this means we found a phone number associated to this user. // we will check if the input phone number is the same as this one. if (!("phoneNumber" in input) || input.phoneNumber !== phoneNumber) { throw new Error("Input phone number is not the same as the one saved for this user"); } }
return oI.createCodePOST!(input); }, consumeCodePOST: async function (input) { /*...Modifications from previous step */ let resp = await oI.consumeCodePOST!(input); /*...Modifications from previous step */ return resp; }, }; }, }})
import ( "errors"
"github.com/supertokens/supertokens-golang/recipe/passwordless" "github.com/supertokens/supertokens-golang/recipe/passwordless/plessmodels" "github.com/supertokens/supertokens-golang/recipe/session" "github.com/supertokens/supertokens-golang/recipe/session/claims" "github.com/supertokens/supertokens-golang/recipe/session/sessmodels" "github.com/supertokens/supertokens-golang/supertokens")
func main() { passwordless.Init(plessmodels.TypeInput{ FlowType: "USER_INPUT_CODE", ContactMethodPhone: plessmodels.ContactMethodPhoneConfig{ Enabled: true, }, Override: &plessmodels.OverrideStruct{ APIs: func(originalImplementation plessmodels.APIInterface) plessmodels.APIInterface { /*This API is called to send an OTP*/ oCreateCodePOST := *originalImplementation.CreateCodePOST nCreateCodePOST := func(email *string, phoneNumber *string, options plessmodels.APIOptions, userContext supertokens.UserContext) (plessmodels.CreateCodePOSTResponse, error) { /** * We want to make sure that the OTP being generated is for the * same number that belongs to this user. */
// A session should already exist since this should be called after the first factor is completed. // We set the claims to check to be [] here, since this needs to be callable // without the second factor completed session, err := session.GetSession(options.Req, options.Res, &sessmodels.VerifySessionOptions{ OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) { return []claims.SessionClaimValidator{}, nil }, }) if err != nil { return plessmodels.CreateCodePOSTResponse{}, err }
var userPhoneNumber *string if phoneNumber, ok := session.GetAccessTokenPayloadWithContext(userContext)["phoneNumber"].(string); ok { userPhoneNumber = &phoneNumber }
if userPhoneNumber != nil { // this means we found a phone number associated to this user. // we will check if the input phone number is the same as this one. if phoneNumber == nil || *phoneNumber != *userPhoneNumber { return plessmodels.CreateCodePOSTResponse{}, errors.New("Input phone number is not the same as the one saved for this user") } }
return oCreateCodePOST(email, phoneNumber, options, userContext) } *originalImplementation.CreateCodePOST = nCreateCodePOST
oConsumeCodePOST := *originalImplementation.ConsumeCodePOST nConsumeCodePost := func(userInput *plessmodels.UserInputCodeWithDeviceID, linkCode *string, preAuthSessionID string, options plessmodels.APIOptions, userContext supertokens.UserContext) (plessmodels.ConsumeCodePOSTResponse, error) { /*...mofications from previous step */ resp, err := oConsumeCodePOST(userInput, linkCode, preAuthSessionID, options, userContext) /*...mofications from previous step */ return resp, err } *originalImplementation.ConsumeCodePOST = nConsumeCodePost
return originalImplementation }, }, })}
from supertokens_python.recipe.passwordless.interfaces import APIInterface, APIOptionsfrom typing import Union, Dict, Anyfrom supertokens_python.recipe.session.asyncio import get_session
def override_passwordless_apis(original_implementation: APIInterface): original_create_code_post = original_implementation.create_code_post
async def create_code_post( email: Union[str, None], phone_number: Union[str, None], api_options: APIOptions, user_context: Dict[str, Any], ): # This API is called to send an OTP
# We want to make sure that the OTP being generated is for the # same number that belongs to this user.
# A session should already exist since this should be called after the first factor is completed. # We set the claims to check to be [] here, since this needs to be callable # without the second factor completed _session = await get_session(api_options.request, override_global_claim_validators=lambda _, __, ___: []) assert _session is not None
payload_phone_number = _session.get_access_token_payload().get("phoneNumber")
if payload_phone_number is not None: # this means we found a phone number associated to this user # we will check if the input phone number is the same as this one. if (phone_number is None) or (phone_number != payload_phone_number): raise Exception( "Input phone number is not the same as the one saved for this user" )
return await original_create_code_post( email, phone_number, api_options, user_context ) original_implementation.create_code_post = create_code_post