Currently one has to send a PATCH to /users/xxx with multi_factor_auth:true.
This is already enough to enable 2fa. If something occurs before a user was able to grab the code the user is locked out.
Expected behavior
PATCH multi_factor_auth:true sets a new 2fa secret and also returns it, but multi_factor_auth is still set to false. It can only be set to true while also patch multi_factor_validate with the correct totp code.
CHANGE: It might be pretty useful to generate recovery codes. This will be integrated as an update in v2.7 as it is authentication related.
Describe the bug
Currently one has to send a PATCH to /users/xxx with
multi_factor_auth:true. This is already enough to enable 2fa. If something occurs before a user was able to grab the code the user is locked out.Expected behavior
PATCH
multi_factor_auth:truesets a new 2fa secret and also returns it, but multi_factor_auth is still set to false. It can only be set to true while also patch multi_factor_validate with the correct totp code.CHANGE: It might be pretty useful to generate recovery codes. This will be integrated as an update in v2.7 as it is authentication related.
Environment
Context
See web ui https://github.com/gyselroth/balloon-client-web/issues/298