TOTP Session Verification API

[vbudhram]

From breaking out #297, this issue tracks items needed to verify a session using TOTP. Once Auth-server has validated the totp code, this method is called to verify the session and set the verification method, etc.

Alter Tables

Sessions Table

Column	Description	Options	Datatype
verificationMethod	method used to verify session. ex, email, email-2fa, totp-2fa	NULL	BIGINT UNSIGNED
verifiedAt	date session was verified	NULL	BIGINT UNSIGNED
mustVerify	whether or not session needs to be verified before	NULL	BOOLEAN

TOTP Table

Column	Description	Options	Datatype
verified	token has been verified with a code	NULL	BOOLEAN
enable	TOTP is enabled/disabled	NULL	BOOLEAN

New stored procedures

.updateTotpToken(uid, data)

.verifySessionWithMethod(uid, options)

Parameters:

• uid - (Buffer16) the uid of the account
• options - (Object) options
  • verificationMethod - email, email-2fa, totp-2fa
  • sessionTokenId - session

Returns:

• resolves with:
  • an empty object {}
• rejects: with one of:
  • error.notFound()
  • error.invalidCode()
  • any error from the underlying storage engine

New endpoints

Verify Session from TOTP Code

• Method : POST
• Path : TBD
  • uid : hex128
  • tokenVerificationId : hex128

[rfk]

I think it'd be useful to pull the mustVerify column out of the unverifiedTokens table and add it to the sessionTokens table here as well, since that's a property that applies regardless of the verification method in use. Thoughts?

[vbudhram]

@rfk That sounds good to me, will update the designs above.