How to enable 2-steps authentication?

lauriejim · October 13, 2020, 1:07pm

Hello!

Strapi doesn’t provide this feature by default but thanks to the customization, you will be able to create it by yourself.

Then, how could it work?

Well based on the curent process, instead of having the JWT and user info as response of the /auth/local you want this route send a SMS to the user.
And you want a way to validate the code received by the SMS.

Here is the customization concept you will have to follow:
https://strapi.io/documentation/v3.x/concepts/customization.html#plugin-extensions

Here I will make it simple, but the most important is to understand the logic to let you then improve the system if needed.

Create a new number field in your User model.
You will use the Content Type Builder plugin to do that.
Call this field code for example.
Do not send the JWT as response as the auth route but generate a code.
Here is the code you will have to replace - strapi/Auth.js at master · strapi/strapi · GitHub

Here you will have to generate a code and update the current user with this code.
await strapi.query('user', 'users-permissions').update({id: user.id}, {code: 123456});

Then write the code to send a text message to the user (I suppose the user will have a phone field)
So with user.phone you will get the phone number and by installing and configuring the node module you want to send a text message, you will be able to send a text message containing the code.

Then in the response of the API, send the user.id, we will use it to match the code and the user ID.

Create a route to match your user ID and the code to get the JWT and user information.
To do that, you can follow this documentation: https://strapi.io/documentation/v3.x/concepts/routing.html#routing
You will have to create a POST routes to retrieve user ID and the code as parameter.

You can create this route un the users-permissions plugin by following the customization docs I linked previously.

In your controller function you will have to execute this request;

const {id, code} = ctx.request.body;
const user = await strapi.query('user', 'users-permissions').findOne({id, code})`

In user you will have the user (if the info you sent are correct).
So do some validation here and finally, send the auth info like it’s done here:

github.com

strapi/strapi/blob/master/packages/strapi-plugin-users-permissions/controllers/Auth.js#L131

    
      
          
          
  if (!validPassword) {
              return ctx.badRequest(
                null,
                formatError({
                  id: 'Auth.form.error.invalid',
                  message: 'Identifier or password invalid.',
                })
              );
            } else {
              ctx.send({
                jwt: strapi.plugins['users-permissions'].services.jwt.issue({
                  id: user.id,
                }),
                user: sanitizeEntity(user.toJSON ? user.toJSON() : user, {
                  model: strapi.query('user', 'users-permissions').model,
                }),
              });
            }
          } else {
            if (!_.get(await store.get({ key: 'grant' }), [provider, 'enabled'])) {

And here it is, you have the 2-steps authentication with a text message.