[SOLVED] 2FA Login: Pass Username Before User is Logged in?

vikr00001 · February 10, 2022, 8:32am

In the draft docs for Meteor 2FA, the following code is provided:

<button 
  onClick={() => {
    Accounts.has2faEnabled(username, (err, isEnabled) => {
      if (err) {
        console.error("Error verifying if user has 2fa enabled", err);
        return;
      }

      if (isEnabled) {
        // send user to a page or show a component 
        // where they can provide a 2FA code
        setShouldAskCode(true);
        return;
      }
      // Normal login when they don't have 2FA enabled.
      Meteor.loginWithPassword(username, password, error => {
        if (error) {
          console.error("Error trying to log in (user without 2fa)", error);
        }
      });
    });
  }
}>
  Login
</button>

It also says:

If the user has 2FA enabled, and you try to use the function Meteor.loginWithPassword , the login will fail, as the user should provide a code to access the app.

The function you will need to call now to allow the user to login is Meteor.loginWithPasswordAnd2faCode

It sounds like we’re supposed to call Accounts.has2faEnabled before the user has logged in. But if the user has not logged in, how can we provide username to Accounts.has2faEnabled?

UPDATE: Hmmm… Do I first put up a login dialog asking for username and password, and then check to see if they have 2FA enabled, and only then log them in - after getting their authenticator code if they have 2FA enabled?

znewsham · February 10, 2022, 12:32pm

I’m pretty surprised this is the direction they’re going. Seems like a massive security flaw allowing anyone to query whether an account has 2fa enabled. Even with rate limiting this is pretty bad.

I’d advise you not to do it this way. Instead, do a regular login and after validating that the password is correct, throw a specific error indicating that 2fa is required. The user then resubmits the username, password and 2fa code to login.

denyhs · February 10, 2022, 1:50pm

Hi @vikr00001, yes, that’s the flow we thought of. You first ask for the username and password, then check if they have 2FA enabled.

But @znewsham has a point, this could lead to some security threat. We’ll think about this flow again and change it ASAP. I will let you know as soon as a new beta is released with the new version.

vikr00001 · February 10, 2022, 5:57pm

Rock on @denyhs and @znewsham! Meteor 2FA is a fantastic new feature.

denyhs · March 1, 2022, 6:27pm

Hi,

The fix for this is already out in version 2.7-rc.0.

vikr00001 · March 3, 2022, 7:49am

Is there a link yet for updated docs for this function?

vikr00001 · March 7, 2022, 1:20am

I installed Meteor 2.7-rc.0, and I’m seeing this in the console log:

Accounts.generate2faActivationQrCode is not a function