I am using django version 3.2.4 in combination with Django Rest Framework. I also use https://github.com/jazzband/djangorestframework-simplejwt for JWTs.
Problem: I need to enable Two Factor Authentication in the following way.
- User uses an endpoint that he submits his username & password. He receives back a jwt token that includes in a claim the verification code he needs to enter hashed. At the same time an email with this code goes to his email.
- Once the user receives the email he posts in another enpoint the verification code received and the jwt token he received in the previous step.
- If the code the user submitted matches the hashed code then he obtains the jwt token that it will be used in the subsequent requests.
P.S. Any other ideas, that achieve something similar with the above are welcomed.
The way I would approach this is by adding a confirmation_code field to user model and handle login using one view with two cases:
1st case, I have username and password in request but no code, after checking username and password, I would create manually and return a short lived access token only without refresh token (which would expire in 3 minutes for example), I'd create a confirmation code, save it in db and send it via mail or sms etc...
2nd case the user posts the received confirmation code using the access token in the request, but no username and password, this way I'd be sure the user has an available access token and confirmation code, I would then return access token and refresh token as usual, in this step I would blacklist the access token after login is confirmed.