Hi. I have a question regarding TOTP 2FA authentic...
# generaln
Nik
03/25/2024, 3:34 PMHi. I have a question regarding TOTP 2FA authentication.
We current use SMS and Email for sending out 2FA code, however we want to add option of Auth app to our applications.
Applications we have use different technologies - WinForms, Asp.Net, Vue etc.
Looking at the documentation, it seems that the way TOPT has been implemented, there is no way for us to get a stream of the QR code from the ST sdk?
r
rp_st
03/25/2024, 3:50 PMHey @Nik what do you mean by stream of the QR code?
rp_st
03/25/2024, 3:51 PMWe give you the string representation of it on the frontend, and that can be used to render a QR code using some lib
rp_st
03/25/2024, 3:51 PM(Assuming you are using custom UI)
n
Nik
03/25/2024, 3:56 PMYeah essentially I need to get the QR code value and then display it on custom UI.
So is it createDevice that I need to call withing NodeSDK and if successful, it will return the qrCodeString?
r
rp_st
03/25/2024, 4:03 PMYes
rp_st
03/25/2024, 4:03 PMWe have an api for it exposed to the frontend
rp_st
03/25/2024, 4:03 PMIt’s there in our MFA docs.
rp_st
03/25/2024, 4:05 PMrp_st
03/25/2024, 4:05 PMAnd click on custom UI in the blue box on the right
n
Nik
04/03/2024, 7:32 AMHi.
I am starting to implement this into our UI/API.
Calling totp.CreateDevice directly and generating the QR code on our own UI(winforms). 1 thing that I would like to change is the label that is displayed in the auth app. Currently it is always prepended with SuperTokens: ... is there a way to change this?
r
rp_st
04/03/2024, 7:34 AMI think the label is based on the appName config you have given on the backend in supertokens.init.
rp_st
04/03/2024, 7:35 AMWhat’s the value of that that you have given?
n
Nik
04/03/2024, 7:36 AMah that was it. had to ovvertide the issuer in the init call 🙂
Nik
04/03/2024, 7:36 AMthank you
r
rp_st
04/03/2024, 7:37 AMright!
rp_st
04/03/2024, 7:37 AMso the appName you had set was "SuperTokens: ..."?
n
Nik
04/03/2024, 7:37 AMit defaults to supertokens when there is no overide.
r
rp_st
04/03/2024, 7:37 AMappName? i dont think so
n
Nik
04/03/2024, 7:38 AMissuer
r
rp_st
04/03/2024, 7:38 AMthe value in the totp app should be the appName you have set by default
rp_st
04/03/2024, 7:38 AMso what is the appName you have set?
n
Nik
04/03/2024, 7:39 AM Copy code
qrCodeString: 'otpauth://totp/Rotamaster:nikitaNik
04/03/2024, 7:40 AMand that is what is shown in the auth app as the label
r
rp_st
04/03/2024, 7:40 AMoh yea, but, by default, if no issuer is specified in totp.init by you, it uses the appName config
rp_st
04/03/2024, 7:40 AMrp_st
04/03/2024, 7:41 AManyway, setting the issuer explicitly also works
n
Nik
04/03/2024, 7:43 AMah i see, it's not set 🙃
r
rp_st
04/03/2024, 8:09 AMhmm. I think it's a necessary config
n
Nik
04/03/2024, 9:23 AMafter CreateDevice, I should call verifyDevice(one off call after adding device), and after that i can use verifyTOTP when user signs in, right?
r
rp_st
04/03/2024, 9:57 AMyes
n
Nik
04/03/2024, 11:59 AMhmm. scrugling to get this to work.
So what i am doing if the following:
-Sign in, get the st-access-token - This is fine.
-call totp.CreateDevice - Don't pass through device name, one gets generated by ST I assume(TOTP Device 0). UserId is retrieving from session - this works fine. I also update user metadata to record device name
-Using the qr string, i add the device to my auth app(tried both google and microsoft)
-Call totp.VerifyDevice - tenant and user id are retrieved from session, device name from metadata(shows as TOTP Device 0). - but I always get the status: 'INVALID_TOTP_ERROR' error
r
rp_st
04/03/2024, 12:00 PMYou don’t need to store the device name in metadata
rp_st
04/03/2024, 12:00 PMYou can just store that in the browser on the frontend in memory
rp_st
04/03/2024, 12:01 PMHave you followed along these docs? https://supertokens.com/docs/mfa/totp/totp-for-all-users
n
Nik
04/03/2024, 1:01 PMyeah. multi tenant, only for users that have enabled TOTP on their account.
Unfortunately I cannot get the device verification to work though
r
rp_st
04/03/2024, 1:02 PMcan you share some code? How are you calling the veirfyDevice function?
Also, can you print out the input to the function on console log just to make sure it's what you expect?
rp_st
04/03/2024, 1:03 PMAlso, can you enable backend debug logs (https://supertokens.com/docs/thirdpartyemailpassword/troubleshooting/how-to-troubleshoot) and share the output when this API is called?
rp_st
04/03/2024, 1:03 PM(i mean when the createDevice API is called)
rp_st
04/03/2024, 1:14 PMIm also happy to jump on a debugging call if that helps. Im quite curious as to what's going on
n
Nik
04/03/2024, 2:08 PM Copy code
com.supertokens {t: "2024-04-03T14:06:01.992Z", message: "core-call: POST https://login-supertokens-ppe-nightly.rotamasterweb.co.uk/leaveplus-testing/recipe/totp/device/verify", file: "C:\_iqusdev\dev.supertokens.api\node_modules\supertokens-node\lib\build\querier.js:390:26" sdkVer: "17.0.0"} +0ms
{
status: 'INVALID_TOTP_ERROR',
currentNumberOfFailedAttempts: 2,
maxNumberOfFailedAttempts: 5
}r
rp_st
04/03/2024, 2:08 PMI’d be happy to investigate why this is happening over a call
rp_st
04/03/2024, 2:08 PMCan we get on zoom now?
n
Nik
04/03/2024, 2:09 PMlet me download zoom
r
rp_st
04/03/2024, 2:09 PMOk
n
Nik
04/03/2024, 2:13 PMsent you meeting link in DM
r
rp_st
04/03/2024, 2:14 PMOk thanks
rp_st
04/03/2024, 2:35 PM@Nik , you can also see the curl commands for making API calls to our APIs in our docs, if you click on the mobile tab instead of web tab wherver you see frontend related code snippets.
4 Views