Specification
Apiary | |
POST | mithril/api/tokens |
Scope |
Purpose
Modification existing WS: Create a user:
- Add handling logic for return different type of tokens by 2FA_Statuses (2fa_access_token, access_token)
- Add logic for process authorization 2 factor via OTP
- Add logic for process resend OTP via create new token (grant_type = resend_otp)
Request parameters
Add handling logic for combinations of request parameters:
One of:
CREATE_2FA_TOKEN
grant_type = "password" email password client_id scope = "app:authorize"
"CREATE_2FA_TOKEN"
- grant_type = "password"
- password
- client_id
- scope = "app:authorize"
OR " AUTHIRIZE_OTP"
- token = 2fa_access_token
- otp
OR "RESEND_OTP"
- token = 2fa_access_token
- grant_type = "resend_otp"
Logic WS
- Validate token & scope
- Check login exist
- If login exist
- Get user by $.email
- Validate user.password = $.password
- If invalid - Update user (set values) by $.user_id
- Increment `users.priv_settings.login_error_counter` (+1)
- If `users.priv_settings.login_error_counter` > USER_LOGIN_ERROR_MAX
- Blocked user - update user (set values) by $.user_id
- is_blocked = TRUE
- block_reason = "OTP verify attempts more then USER_LOGIN_ERROR_MAX"
- updated_at = now()
- Blocked user - update user (set values) by $.user_id
- If login exist
- Validate user status
Get active 2FA item for non-blocked user by $.user_id
SELECT * FROM authentication_factors AS 2FA INNER JOIN user AS U ON 2FA.user_id = U.id WHERE U.id = $.user_id AND U.is_active = TRUE AND U.is_blocked = FALSE AND 2FA.is_active = TRUE
- If exist 2FA active item with empty factor
- !!! TBD - Need get factor from user (WS: Set2FA)
- If exist 2FA active item for user with non-empty factor
- go to new process with 2FA (return 2fa_access_token + code 201)
- If not exist 2FA active item for user
- go to standart process without 2FA (return access_token + code 201)
- If exist 2FA active item with empty factor
Response
- 201 if token successful create & return
- 4xx in other case