2FA email login with `auth.api`: Ensure verification is completed?
Hey! When using
auth.api.signInEmail to sign in to a user with 2FA (TOTP) enabled, how do I ensure that the 2FA verification has been completed for that session? I can always say that after signing in, the user is redirected to the 2FA verification flow, but I don't see any immediate Better-Auth-native way of blocking the user from simply changing the URL and go to a different page again and thus avoid 2FA.
Should the result of the auth.api.verifyTOTP perhaps be stored in the Session table for easy look-up to ensure that the user has indeed successfully completed the verification? Or am I completely missing something here, for instance that the user shouldn't actually be logged (i.e., no Session is created) in unless they complete 2FA?
Possible quirk: I don't use the client-side authClient, I have all interactions on server-side using auth.api.{method} and I've done all necessary migrations and TOTP enabling/disabling from user profile works as expected. I use fullstack SvelteKit with interactions via form actions.1 Reply
I guess a different approach might be to instead of showing an email and password field on the login page, I only display the email field and check upon submit (SvelteKit form action) if the associated user has 2FA enabled, if so display 2FA TOTP field alongside password field. This way the user won't even be signed in if there's no valid TOTP during login.
I'm leaning towards extending the
Session table schema with for instance auth_status: 'pending_2fa' | 'authenticated' and perhaps lower the session lifetime. This would allow me to much easier check the user's active session for a completed and verified TOTP/2FA.
Am I overthinking this, or does this approach make sense?