Implementing 2FA without the tokens integration (v1/v2) #728
pilcrowOnPaper
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
With Lucia v2, we are planning to deprecate single use keys, and as such, the tokens integration (
@lucia-auth/oauth
). This is due to several factors:This post details simple alternatives (not 100% a drop in replacement however) that is easy to extend and is secure. See the
examples
dir in the repo for examples.Id tokens (Verification tokens)
Database
TEXT
BIGINT
TEXT
user(id)
Code
You can of course use transactions, which is going to be safer.
Password tokens (one time passwords)
In general, only a single valid password should exist for each user (per use case).
Database
This uses a compound/composite key where the combination of
password
anduser_id
makes a unique key. You can alternatively use<user_id>:<password>
as the id.TEXT
TEXT
user(id)
TEXT
Code
You can of course use transactions, which is going to be safer.
Verification links
This implementation sends the same email verification link if an hour (expiration / 2) hasn't passed since token generation. Can be used for email verification and password reset links. You should implement rate-limiting but this reduces the number of tokens stored.
Email verification
Password reset
One time passwords
Beta Was this translation helpful? Give feedback.
All reactions