Meteor Two Factor
Simple two factor authentication for accounts-password.
Table of Contents
Installation
$ meteor add dburles:two-factor
Prerequisites
Make sure your project is using Meteor's accounts-password
package, if not add it: meteor add accounts-password
Example Application
Usage
Client and server usage examples.
Usage (Client)
Typically you would call this method via your application login form event handler:
1twoFactor.getAuthCode(user, password, error => { 2 if (error) { 3 // Handle the error 4 } 5 // Success! 6});
After calling getAuthCode
if you wish, you can request a new authentication code:
1twoFactor.getNewAuthCode(error => { 2 if (error) { 3 // Handle the error 4 } 5 // Success! 6});
The following method is reactive and represents the state of authentication. Use it to display the interface to enter the authentication code:
1Tracker.autorun(function() { 2 if (twoFactor.isVerifying()) { 3 console.log('Ready to enter authentication code!'); 4 } 5});
Capture the authentication code and pass it to the following method to validate the code and log the user in:
1twoFactor.verifyAndLogin(code, error => { 2 if (error) { 3 // Handle the error 4 } 5 // Success! 6});
Usage (Server)
Assign a function to twoFactor.sendCode
that sends out the code. The example below sends the user an email:
1twoFactor.sendCode = (user, code) => { 2 // Don't hold up the client 3 Meteor.defer(() => { 4 // Send code via email 5 Email.send({ 6 to: user.email(), // Method attached using dburles:collection-helpers 7 from: 'noreply@example.com', 8 subject: 'Your authentication code', 9 text: `${code} is your authentication code.` 10 }); 11 }); 12};
Optional functions:
1// Optional 2// Conditionally allow regular or two-factor sign in 3twoFactor.validateLoginAttempt = options => { 4 // If two factor auth isn't enabled for this user, allow regular sign in. 5 return !options.user.twoFactorEnabled; 6};
1// Optional 2twoFactor.generateCode = () => { 3 // return a random string 4};
Security note:
Use DDPRateLimiter to prevent verification code cracking
1import { DDPRateLimiter } from 'meteor/ddp-rate-limiter'; 2 3const numberOfAttempts = 5; 4const timeInterval = 60; 5 6DDPRateLimiter.addRule( 7 { 8 type: 'method', 9 userId: null, 10 clientAddress: null, 11 name(name) { 12 const methods = [ 13 'twoFactor.verifyCodeAndLogin', 14 'twoFactor.getAuthenticationCode' 15 ]; 16 return methods.includes(name); 17 }, 18 connectionId() { 19 return true; 20 } 21 }, 22 numberOfAttempts, 23 timeInterval * 1000 24);
API
The following functions are attached to the twoFactor
namespace. This may change somewhat for Meteor 1.3.
API (Client)
getAuthCode
getAuthCode(user, password, [callback])
Generates an authentication code. Once generated, (by default) a twoFactorCode
field is added to the current user document. This function mirrors Meteor.loginWithPassword.
user Either a string interpreted as a username or an email; or an object with a single key: email, username or id. Username or email match in a case insensitive manner.
password The user's password.
callback Optional callback. Called with no arguments on success, or with a single Error argument on failure.
getNewAuthCode
getNewAuthCode([callback])
Generates a new authentication code. Only functional while verifying.
callback Optional callback. Called with no arguments on success, or with a single Error argument on failure.
verifyAndLogin
verifyAndLogin(code, [callback])
Verifies authentication code and logs in the user.
code The authentication code.
callback Optional callback. Called with no arguments on success, or with a single Error argument on failure.
isVerifying
isVerifying()
Reactive function that indicates the current state between having generated an authentication code and awaiting verification.
abort
abort([callback])
Call this function while verifying if you wish to allow the user to sign in again.
callback Optional callback. Called with no arguments on success, or with a single Error argument on failure.
API (Server)
sendCode
sendCode(user, code)
This function is called after getAuthCode
is successful.
user The current user document.
code The generated authentication code.
options
twoFactor.options.fieldName = 'customFieldName';
Specify the name of the field on the user document to write the authentication code. Defaults to twoFactorCode
.
validateLoginAttempt (Optional)
validateLoginAttempt(options)
If defined, this function is called within an Accounts.validateLoginAttempt
callback.
Use this to allow regular login under certain conditions.
generateCode (Optional)
If defined, this function is called to generate the random code instead of the default.
License
MIT