Anyone implemented two-factor authentication in Wappler-made website?

Anyone implemented two-factor (not SMS) authentication in Wappler-made website? I'm using NodeJS, but if you're using something (e.g. PHP) else feel free to comment as well

P.S.: Without reliance on third-party services

Howdy :slight_smile:

We have implemented 2FA with a code sent via SMS or email.

We choose not to use code-generator 2FA like an Authenticator app as it was too complex and time consuming to implement quickly. Maybe we’ll start on it in a few months time.

However for various reasons we have constructed our app a little differently and don’t use Wapplers built-in security provider for authentication. We’ve created our own endpoints to handle a custom JWT setup.

That’s made it lot easier for implement our 2FA which works like this:

  1. The user is authenticated with their username and password.
  2. If successful, a one-time code is sent to their email/SMS. The one-time code is stored in a db table and has an expiry time. At this point the user isn’t logged it yet but receives a temporary token.
  3. The user then has x minutes to enter the correct 2FA code.
  4. When the user enters the code, another endpoint is called to check the one-code and temporary token are valid. If both are valid, it returns the final session token for JWT.

We have a few other checks and security things that happen in-between but that should give you a good overview. Hope it helps.

2 Likes

I did this in node on a project a couple years ago. It used an open source node library that managed the generation of QR code, validation of code, etc. It wasn’t a big deal to implement.

Just released OneSIgnal Integration extensions if that is any help but that is of course a 3rd party integration.

Will be releasing the SMS and email videos in next few days

3 Likes

I got to 95% done creating a Wappler extension to do this (PHP) without any third party requirements but hit a wall with getting the extension to work and gave up on it. Would still love to have it working as I'm sure it would benefit many people. It was based on the 2FA standards used by Google Authenticator, etc.

1 Like

I just wrote an extension that handles 2fa with authentication apps.

1 Like

For which server models?

NodeJS

I guessed it would be. Hopefully I'll get my PHP extension done at some point as I'm sure there are plenty of PHP devs who would benefit from it.

I've done this with third-party. But, I also created a 2factor email verification. Pretty simple.

Here's how I setup the random string to send them:

{{TIMESTAMP.md5('SALT').uppercase().replace('O', 0).trunc(5, true, 2)}}

That ends up with an almost-random un-guessable 5 character code.

I also have some security above this, but it looks like:

Basically:

  1. Grab the users info from the Database.

  2. Set my un-guessable 5 character code.

  3. Update my Database which sets the 5-character code and the date/time of when it was set (because later when they submit it, I'll check and make sure it's been less than 10 minutes).

  4. Set the user's first and last name.

  5. Send the email that contains the code and their name.

  6. Output the time it was sent to the browser so that we can do a countdown, or indicator.

3 Likes

Also an extension for more complex 2fa codes here.