2FA | Send JWT only after Login
-
Hello Nicu,
Amazing plugin you developed.In our current application setup, we have a two-factor authentication (2FA) system. However, I’ve noticed a potential security concern. When a user tries to authenticate via the
/authroute, our system immediately generates a JWT token. This token can already be used to make API requests and perform CRUD operations without the 2FA process being completed.My goal is to adjust this flow so that:
- A user’s credentials are first verified.
- An email is sent to the user containing a verification code.
- Only after the user provides the correct verification code should we generate a JWT token or perform an auto-login.
I’m contemplating creating a custom API route that uses
wp_authenticate(). However, I’m unsure if there’s a Simple JWT hook that triggers right before the authentication process initializes. I’d like to leverage this hook to check the email verification code and, if valid, proceed with the authentication and JWT generation.Could you advise on the feasibility of this approach or suggest any alternative methods to achieve this desired flow?
Thank you for your guidance.
- The topic ‘2FA | Send JWT only after Login’ is closed to new replies.
