I'm using this library for 2 factor auth: https://github.com/speakeasyjs/speakeasy
I'm using this QR Code library: https://www.npmjs.com/package/qrcode
In dev mode, I seed the database with a test user. But I'm on a team and now that 2FA is implemented, people need to pass in a 2FA token to login with this user. Is there a way I could generate a QR Code for this test user that can be reused by everyone on the team? That way, they just scan it into their phone and use the token.
I tried the naive way: I generated a QR Code, saved it as an image, and put it in the README. It works fine for me, but when anyone else tries to scan it, it says "Invalid Barcode" in google auth. Something that's confusing is I can delete it from google auth and scan it again without issue, even though nobody else can. I assume this means the QR Code is only usable by one device?
I could just say you don't have to use 2FA if you're in dev mode, but I really don't like that route: It's a security bug waiting to happen. Someone could start prod in dev mode on accident.
Here's my code:
generateQRFromSecret({
secret: 'secret',
label: 'label',
issuer: 'issuer',
});
const generateQRFromSecret = ({ secret, label, issuer }) =>
new Promise((resolve, reject) => {
const otpAuthUrl = speakeasy.otpauthURL({
secret,
label,
issuer,
encoding: 'base32',
});
QRCode.toDataURL(otpAuthUrl, (err, dataUrl) => {
if (err) {
reject(err);
} else {
resolve(dataUrl);
}
});
});
UPDATE: Android phones seem to be able to read the QR Code fine. It's iphones that can't.