Require multifactor authentication after login

[nduplessis]

Hey @jeremyevans

The guide below details how to require multifactor authentication after login:
https://rodauth.jeremyevans.net/rdoc/files/doc/guides/require_mfa_rdoc.html

You may want to require multifactor authentication on login for people that have multifactor authentication set up

However from the source it appears as if multifactor is always required when it has been set up

    def require_authentication
      super

      # Avoid database query if already authenticated via 2nd factor
      return if two_factor_authenticated?

      require_two_factor_authenticated if uses_two_factor_authentication?
    end

Is that guide out of date or am I misunderstanding require_authentication?

[janko]

Imagine that login is redirecting to a page that doesn't require authentication, e.g. a page that is rendered differently depending on whether a user is logged in or not. In that case by default the user would not be automatically required to authenticate with 2nd factor after password login, because what's usually forcing that is a rodauth.require_authentication call on the endpoint that login redirects to.

[jeremyevans]

What the guide is trying to show is how to handle the case where you are requiring two factor authentication when logged in, but allowing access without being logged in.

The guide example could be shortened to rodauth.require_authentication if rodauth.logged_in?. @janko do you think we should do that?

[janko]

Yeah, that seems equivalent to me 👍🏻

[nduplessis]

Ah thanks @jeremyevans @janko

What are your thoughts on allowing authentication without requiring multi-factor for all requests?

[nduplessis]

@janko yes that's exactly what I'm aiming to achieve, but my understanding is that require_authentication is always forcing 2FA when it is set up as per the method implementation quoted above?

[janko]

That's correct. You can use require_login for routes where you only want to require 1st factor.

[nduplessis]

@janko ah, I was going by the require_authentication from the rodauth-rails readme. I see require_login appears to be missing from the documentation, is this just an oversight?

[janko]

I'm generally relying on rodauth-rails users going directly to Rodauth docs for the full API, to avoid duplicating everything in rodauth-rails README. But if you think it's important to mention, feel free to send a PR.

[nduplessis]

Yeah I was looking for it in the Rodauth docs and didn't see it under the Base docs but I see the distinction between require_login and require_authentication is actually clearly made in the Readme