better-auth.two_factor cookie not removed on signout?
Should the twoFactor() plugin automatically add a Set-Cookie expired for the better-auth.two_factor cookie?
Because right now at v1.1.17 it does set an expired cookie only for better-auth.session_token but not for the two_factor one.
9 Replies
Can you update to the latest and let us know if this is still an issue? ( v1.1.20-beta.1)
yes sure
also another strange issue I found on the authClient, the response.data from veriftTotp is a Blob.
I'll let you know also for this
still the same issue, the data is a Blob object. Really strange.
Even for the two_factor cookie is the same
Basically when I signIn with email it returns the cookie two_factor, after a verification (authClient.twoFactor.verifyTotp) on client side is not returned an expired set-cookie and so the two_factor cookie still is there.
Even after a signOut on server side the only cookies that are correctly set as expired are session_token, session_data, dont_remember. But no expired cookie for two_factor is set by signOut.
Even if the two_factor cookie has a short duration it should be correctly expired at some point, on the verifyTotp if possible, like remove the two_factor cookie and set just the session_token.
What do you think @Ping ?
I'm not too sure. But @bekacru might be of help.
it has short duration (10mins), that's why we don't actively remove it. And if incase the user tries to sign out and sign in again, the new cookie will override the old one, so it shouldn't cause any issue.
thanks for taking your time to reply. 🙂
Yes, that's the behaviour. Actually my issue was that since the cookie wasn't removed, then the user never was really signing out and it was redirected back to my /verify-two-factor page. I solved the issue by manually expiring the cookie "better-auth.two_factor".
And about this I have a related question: this two_factor token even if already used to exchange it for an access token can be reused during this 10 min time window? Is it good on security side or should it be invalidated after it is being used?