search

sfbrigade / bats-server

Routed is an app to help ambulances direct non-critical patients to hospital emergency rooms with the most availability.
https://routedapp.org/
GNU Affero General Public License v3.0
18 stars 11 forks source link

User can sign in using email and password and two-factor code using email #285

Closed francisli closed 1 year ago

holliskuang commented 1 year ago

Happy to look into this!

holliskuang commented 1 year ago

A few thoughts here:

  1. It looks like we are currently using passport-local for auth, we can add passport-totp on top of this for two-factor auth

  2. We can create a secret value and store in the db, associating it to the user. Each log in, a new value will be created to override the previous one. I think passport-totp allows you to set/handle time-out periods so there wouldn't be a need to store a timestamp to compare with.

  3. We can set up nodemailer (zero dependencies!) to send out an email containing this secret value, we are likely going to need to set up some type of email sender regardless if we are interested in reset password functionality.

Of course, I am not too familiar with best design practices so please let me know if there are better ways to do this.

francisli commented 1 year ago

So, if we want to start with email-based two-factor, would we still use passport-totp to manage the secret key/code? It looks like you may need to store a "period" value related to timeouts in addition to a key?

I think adding nodemailer into the server sounds good, so we can use it for reset password, etc.

I think this seems like a fine straightforward approach...!