Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Specification


Apiary
Status
titlepatch
mithril/api/users/{user_id}/actions/approve_factor
Scopeuser:approve_factor

Purpose

Verifying OTP, update (approval)  2FA item from token.

Request parameters

  • token
  • user_id
  • otp


Logic WS

  • Validate token (2fa_access_token) 
    • If invalid - return error 4xx 
  • Validate $.user_id = token.user_id
    • If invalid - return 403 error
  • Validate user id & user status
  • Validate user `is_blocked` flag
    • if is_blocked = TRUE
    • return 4xx - "User blocked"  (!!! TBD)
  • Get active 2FA item for non-blocked user by $.user_id


    Code Block
    languagesql
    SELECT *
    FROM authentication_factors AS 2FA
    WHERE
        2FA.user_id = $.user_id
            AND 2FA.is_active = TRUE


    • If not found - return 409 error "Not found 2FA data for user"
  • Extract type & factor from 2FA item for user
  • Invoke internal function `verify_OTP (key, code)`, for 2FA.type = SMS, with params:
    • key = 2FA.faсtor
    • code = $.otp
  • Get result of call `verify_OTP()`  
  • If result = VERIFIED
    • Extract from `tokens.details` this attributes:
      • `request_authentication_factor` 
      • `request_authentication_factor_type` 
    • Update (set values) active 2FA item with `tokens.details.request_authentication_factor_type`:
      • factor = `tokens.details.request_authentication_factor` 
      • update_at = now()
    • Update 2fa_access_token (set `tokens.details.used`=true)
    • Return 200
  • If result = UNVERIFIED
    • Update user (set values) by $.user_id
      • Increment `users.priv_settings.otp_error_counter` (+1)
    • If `users.priv_settings.otp_error_counter` > USER_OTP_ERROR_MAX
      • Blocked user - update user (set values) by $.user_id
        • is_blocked = TRUE
        • block_reason = "OTP verify attempts more then USER_OTP_ERROR_MAX"
        • updated_at = now()
    • return 401 error

Response

  • 200 if 2FA successful set new.factor  + 2FA_object_view
  • 4xx in other case