Closed ezekg closed 3 years ago
When generating tokens, accounts with 2FA should require an OTP, e.g.:
curl -X POST https://api.keygen.sh/v1/accounts/afe5587d-a3d9-4669-919b-db55f448dc17/tokens \
-H 'Content-Type: application/vnd.api+json' \
-H 'Accept: application/vnd.api+json' \
-u '{EMAIL}:{PASSWORD}'
HTTP 422
{
"errors": [
{
"title": "Two-factor authentication token required",
"detail": "must be a valid 2FA token",
"code": "2FA_REQUIRED",
"source": {
"pointer": "/meta/otp"
}
}
]
}
curl -X POST https://api.keygen.sh/v1/accounts/afe5587d-a3d9-4669-919b-db55f448dc17/tokens \
-H 'Content-Type: application/vnd.api+json' \
-H 'Accept: application/vnd.api+json' \
-u '{EMAIL}:{PASSWORD}'
-d '{
"meta": {
"otp": "123456"
}
}'
HTTP 201
{
"data": {
"id": "6a7562be-b302-43d2-a550-30d6026247aa",
"type": "tokens",
…
}
}
U2F might be a better (and cheaper) option here.
I think we can use Authy without Twilio i.e. for free. The QR code needs to contain this data:
otpauth://totp/zeke%40keygen.sh?secret=SECRET&issuer=Keygen
Here's a good lib: https://github.com/mdp/rotp.
Not sure how to add our logo yet, though.
Would need to adjust the token creation flow to ask for a 2-factor code before issuing a token, which is kind of weird and non-RESTful but idk any other way.