How to delay session creation in Rodauth until 2FA confirmation?

[Halvanhelv]

Hello, janko Janko Marohnić

I'm using Rodauth in my Rails application and trying to implement a two-factor authentication (2FA) mechanism. Using this guide, I've added a 2FA step on my main page in the form of a sidebar.

Here's my problem: When a user enters their login and password, a session is created before the user confirms 2FA. If the user doesn't confirm 2FA and tries to refresh the page or navigate to another page, they are redirected to '/otp-auth'. I want to avoid this redirection and have the user's session not be created until they confirm 2FA.

I've tried implementing it this way, but without success:

class ApplicationController < ActionController::Base
  before_action :check_two_factor_authentication

  private

  def check_two_factor_authentication
    if rodauth.logged_in? && rodauth.uses_two_factor_authentication? && request.path != '/otp-auth'
      rodauth.logout
    end
  end
end

Here's the code I'm using to display 2FA on the sidebar:

otp_auth_view {
  rails_render(
      template: "rodauth/otp",
    turbo_stream: [
      rails_controller_instance.turbo_stream.replace('sidebar_rodauth', partial: 'rodauth/shared/otp_auth'),
      rails_controller_instance.turbo_flashes
    ]
  )
}

I'm curious if there's a way to configure Rodauth such that the session creation is delayed until 2FA confirmation, and how to do it? Any tips or directions would be greatly appreciated.

Thank you in advance for your help.

[janko]

Your approach looks like it's on the right path. Note that rodauth.logged_in? will return true when the user is authenticated with both 1 and 2 factors, but you want to handle only the case where they're authenticated with 1st factor. Adding && !rodauth.two_factor_authenticated? to the conditional should work IMO.

[Halvanhelv]

It seems to be too difficult to implement because I can not understand when a user enters a failed totp and when the user tries to refresh the page browser has not entered totp and it is not clear when to delete the session and when you just need to re-render the form (there are multiple redirects the same as opposed to a simple login, for example)

• I think if you enter a login and password and then close the site and open it, the user will be authorized, that is, this is a fundamental problem of sequence of actions

rodauth forces user to authorize and then enter totp, which I found strange behavior

Do you have a quick recipe to solve this problem or is it still in the core library?

Thank you for your help

[janko]

Rodauth keeps 1st factor authentication decoupled from 2nd factor, this way it continues working exactly the same as when the user is not using 2FA, so no special cases need to be handled for 1st factor. Moreover, this design allows things like requiring 2FA only for certain routes (albeit rare use case). So, 2FA has been built as an addition, but I agree the default flow isn't ideal.

I was able to make it work in the official demo app by also redirecting from login straight to 2FA page:

class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    login_redirect { uses_two_factor_authentication? ? two_factor_auth_required_redirect : "/" }
    login_notice_flash { uses_two_factor_authentication? ? nil : super() }
  end
end

class ApplicationController < ActionController::Base
  before_action :check_two_factor_authentication

  private

  def check_two_factor_authentication
    if rodauth.logged_in? && rodauth.uses_two_factor_authentication? && !rodauth.two_factor_authenticated? && !two_factor_auth_path?
      rodauth.logout
    end
  end

  def two_factor_auth_path?
    [
      rodauth.two_factor_auth_path,
      rodauth.otp_auth_path,
      # rodauth.sms_auth_path,
      # rodauth.recovery_auth_path,
      # rodauth.webauthn_auth_path,
      # rodauth.webauthn_auth_js_path,
    ].include?(request.path)
  end
end

Note that I needed to comment out login_return_to_requested_location? true and two_factor_auth_return_to_requested_location? true, as it messes up with the redirect.

[Halvanhelv]

I tried to repeat this in the demo app, but the condition for rodauth.logout did not work for some reason

login_return_to_requested_location and two_factor_auth_return_to_requested_location I commented

The behavior is the same as the default 😔

[janko]

I just remembered that in the demo app I needed to comment out these lines in app/misc/rodauth_app.rb as well, which would cause the check_two_factor_authentication callback to be skipped:

    if rodauth.uses_two_factor_authentication?
      rodauth.require_two_factor_authenticated
    end

If it still doesn't work, it would be worth reproducing it in a fresh Rails app.

[janko]

I discussed this with Jeremy in jeremyevans/rodauth#348, and he provided some good points why Rodauth remembers 1st factor even when 2nd factor auth was aborted.

TL;DR Apps like GitHub and HEY also remember the 1st factor, but they hide it by redirecting you to the login page, making it appear as if though you need to re-authenticate with 1st factor, which isn't honest because it gives an illusion that you're logged out.