Hi there,
I have a two-step login flow in Xano. After login I check if TOTP is enabled. If so I create a JWT auth token with extras.status = 2fa_pending.
If totp is not enabled I create a JWT auth tkomen with extras.status = authenticated.
What I would like to have is a public login page.
The 2fa challenge endpoint expect a 6 digit code and the secret used while setting up 2fa. So I need to fetch the record of the user. Preferably I want to be this page being authenticated (private access for authenticated users). When the 2fa is succesfull I generate a new JWT Token with extras.status = authenticated.
Then after succefull changels I redirect to a profile page that is authenticated (private access) and should be accessible when valid JWT Token is present with extras.status = authenticated.
I see that Weweb uses the auth/me endpoint to decide if the user is authenticated
But I can’t adjust private access based on the extras that is added to the JWT token.
What would be the best approach forward? I could return the extra’s in the auth/me endpoint, and create a global workflow to check is user is actually authenticated or 2fa is still pending, but I would need te add this workflow to every page. Are there any alternatives?
Or is it secured enough when the page for the 2fa challenge is public and uses a long hashed token to fetch the user