#Invoke OTP verification

Hey guys, I am currently working on system for law firm that requires authentication. I am using default directus auth, no external providers hosted on directus cloud.

One of the client's requirement is MFA. My problem is - I created my own implementation for password reset. It works pretty much the same like in directus. We send reset token to a user, verify the token and change user's password. The question is - is there a way to invoke otp verification before password reset (endpoint, external library)? I noticed there are 'generate , enable, disable' endpoints but cannot find anything to verify MFA code. The point is that a user shouldn't be allowed to make any changes to his account before he passes the MFA verification because if the user's email gets stolen the MFA doesn't prevent an attacker from modifying the user's data, right? Sorry, if I am missing something. It's my first time doing this kind of stuff. Ty in advance for any advice!

hi @knotty silo,

While I don't have an answer to your question, I have a question to ask you! I've been trying to set user's token through API, but I haven't been able to do that. The only way I could find was to update the user information and save a new token, but then I can't use that token to authorize the user. May I ask how you reset a token for a user?

Just we're on the same page - what token are we talking about ?

If you're talking about token for resetting passwords I created collection reset_tokens, where each record has three fields - 'user_id' and 'token' (encrypted token) and 'expires'. If user clicks on reset password I sent to user's email a link containing decrypted token. When user clicks on reset link he is redirected to page where he is asked to enter new password and email. On confirm I verify if token is valid by comparing the token a user received to the one stored in database as well as checking if email he entered belongs to the token. If check is successful reset password and delete all records belonging to the user (to make sure the token cannot be reused) @formal jetty

I am using AWS lambda functions for that

Thank you @knotty silo. I was asking about the user API tokens, a long random string usually generated by the system.

ah, that I don't know. I generated API token directly in directus for admin user and send the token in request like this

await axios.post( '/users', { first_name, last_name, email, password, role, }, { headers: { Authorization: 'Bearer <TOKEN>', }, } );

Thank you. Yes, I know how to do it via admin dashboard, but that's manual. I want to be able to generate an API token when a user signs up and then use that for operations for that user.

@formal jetty late to the party, but saw this as I was looking for a reset password flow I can use in the frontend instead of the directus fronted (which the users should never see).

Using the token (the default "token" field in directus_users) for authorization works fine for me after setting it via the API on either user creation or update. What is not working for you?

@uneven crown No, unfortunately I couldn't set the user token via the API. Just to be clear, I wanted to set the token myself, not asking the system to generate it. Could you do that?