Purpose

Modification  existing WS: Create a user:

• Add handling logic for return different type of tokens by 2FA_Statuses (2fa_access_token, access_token)
• Add logic for process authorization 2 factor via OTP
• Add logic for process resend OTP via create new token (grant_type = resend_otp)

Request parameters

Add handling logic for combinations of request parameters:

ONE OF:  

- grant_type = "password"
- email
- password
- client_id
- scope = "app:authorize"

OR 

- grant_type = "authorize_2fa_access_token"
- token = 2fa_access_token
- otp 

OR 

- grant_type = "refresh_2fa_access_token" 
- token = 2fa_access_token

Logic WS

Сase `CREATE_2FA_TOKEN` (grant_type = "password")

• Validate token & scope
• Check login exist
  • If login exist
    • Get user by $.email
    • Validate user.password = $.password
    • If invalid -  Update user (set values) by $.user_id
      • Increment `users.priv_settings.login_error_counter` (+1)
      • If `users.priv_settings.login_error_counter` > USER_LOGIN_ERROR_MAX
        • Blocked user - update user (set values) by $.user_id
          • is_blocked = TRUE
          • block_reason = "OTP verify attempts more then USER_LOGIN_ERROR_MAX"
          • updated_at = now()
• Validate user status

• Get active 2FA item for non-blocked user by $.user_id

  Code Block
  language sql
  SELECT * FROM authentication_factors AS 2FA INNER JOIN user AS U ON 2FA.user_id = U.id WHERE U.id = $.user_id AND U.is_active = TRUE AND U.is_blocked = FALSE AND 2FA.is_active = TRUE

  • If exist 2FA active item with empty factor
    • !!! TBD - Need get factor from user (WS: Set2FA)
  • If  exist 2FA active item for user with non-empty factor
    • go to new process with 2FA (return 2fa_access_token + code 201)
  • If not exist 2FA active item for user
    • go to standart process without 2FA (return access_token+ code 201)

Response

• 201 if token successful create & return
• 4xx in other case