Verify 2FA Code

This exercise will continue the flow from the previous exercise. Here's an expanded diagram from where we left off:
A flow diagram showing a user, server, 2fa app, and verification in the database
We left off at the point where the verification is upgraded to a legit 2FA verification. From there we have the following flow:
  • The user logs out (eventually)
  • The server unsets the session ID (we do all this already)
  • The user logs back in
  • The server checks that the 2FA verification exists
  • The server still create their managed session, but instead of the main cookieSession, we put it in the verifySession and send them to the /verify route.
  • The user submits the 2FA code generated by their app
  • The server verifies the code
  • The server moves their session from the verifySession to the regular cookieSession.
This exercise will feel very similar to the work we did for email verification, password reset, and email change earlier. So let's get into it!
Edit on GitHubStart Learning