kevinmichaelchen
commented
6 years ago When a user gets prompted for MFA, we send back the client a random/unguessable UUID, which ensures that only that client can trigger resends.
Closed kevinmichaelchen closed 6 years ago
kevinmichaelchen
commented
6 years ago When a user gets prompted for MFA, we send back the client a random/unguessable UUID, which ensures that only that client can trigger resends.
It's not enough to say trigger a resend with just a
phoneNumberandpersonId, since this would let users spam-text each other.Perhaps in order to trigger a resend, the client also needs to send along the ID of a valid 2FA code. When a user logs in, the
authµService checks to see if they have 2FA enabled and then makes a grpc request to themfaservice. Themfaservice sends a SMS and returns a grpc response containing the uuid PK of the created 2FA code. The client now has proof that they successfully authenticated and triggered the transmission of the first 2FA code; so we can safely let them trigger resends, as long as they provide the uuid code.There's not a good RESTful way to that is there?
http POST /mfa code=$uuid