Skip to content

Latest commit

 

History

History
39 lines (25 loc) · 3 KB

registration.md

File metadata and controls

39 lines (25 loc) · 3 KB
Raw

Adding 2FA to the user registration flow

This is the first set of changes. You will modify the user registration process so that they are prompted to add this app to an authenticator app on their smartphone.

Feel free to check the git tag registration-done if you need a pointer.

Changes to user registration flow

When a user registers, we need to:

  • Be able to use an OTP library
  • Create a secret2FaCode before persisting the UserDto
  • Share the secret2FaCode with the user, in the form of a QR code which can be scanned with an authenticator app

When this is done:

  • users can create accounts as before, and will be shown a QR code during the registration process
  • a secret is stored against each user in the database (different for each user)
  • login is still username/password only.

Hint: look for lines marked with TODO: (registration)

Walkthrough

This is the list of changes we need to make, in a logical order. If you are stuck, click on any of the "Finished Code" links to see how I implemented that part.

  1. We need to use an OTP library. I like JOTP. Uncomment the dependency in pom.xml. (Finished Code).

  2. For each user, we need to store a secret key in the database. Modify data.sql to add a new column. (Finished Code).

  3. The UserDto class should match the database schema. Add a new field and getter/setter matching your new DB column. (Finished Code).

    Feel free to start the app and inspect the database schema.

  4. Generate a secret key (using OTP.randomBase32(20)) when a new user registers, and store it in the database. (Finished code)

  5. Create a QR code for the user's authenticator app (using OTP.getURL) in WebController.java. (Finished code)

  6. Show the user the QR code on the "Thank you for registering page", registered.html. (Finished code).

That's all the changes we need for the registration flow.

You can now start the app and register for an account. You will be shown a QR code which will add an account to your authenticator app. You can also check the database to see that new users have a 20-character random string in their secret row.

Users can still log in using just username and password. Lets fix that. Move on to the next section: login.