Conversation
✅ Deploy Preview for gracious-clarke-e6b312 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
jscyo
left a comment
jscyo
left a comment
There was a problem hiding this comment.
Please check the accuracy of the content. I've pointed out some of the issues
| --- | ||
| title: Add MFA to React Fast with SuperTokens | ||
| description: "Secure your React app with multi-factor authentication in minutes. Learn MFA options, setup steps, and best practices using SuperTokens." | ||
| date: "02/20/2026" |
There was a problem hiding this comment.
The date format is incorrect. Please check the deploy preview to see if the blog is rendering properly.
| ```javascript | ||
| import MultiFactorAuth from "supertokens-node/recipe/multifactorauth"; | ||
| import TOTP from "supertokens-node/recipe/totp"; | ||
|
|
||
| recipeList: [ | ||
| EmailPassword.init(), | ||
| TOTP.init(), | ||
| MultiFactorAuth.init({ | ||
| firstFactors: ["emailpassword"], | ||
| }), | ||
| Session.init() | ||
| ] | ||
| ``` |
There was a problem hiding this comment.
Please do check the functionality of this code, or refer to the documentation. You are initializing the Email password recipe here and its not been importeed
| ] | ||
| ``` | ||
|
|
||
| **4. Wire the Frontend SDK** |
There was a problem hiding this comment.
show the snippet for initializing the frontend SDK, you need to show the recipes being initialized here
|
|
||
| **5. Protect Routes with SessionAuth** | ||
|
|
||
| Wrap protected components with `SessionAuth`. The wrapper checks session validity and MFA completion before rendering children. Incomplete sessions redirect to the appropriate challenge screen. |
There was a problem hiding this comment.
Please add snippets for all of this. Just writing this without showing does not make sense
|
|
||
| **6. Test Token Rotation and Theft Detection** | ||
|
|
||
| Verify that refresh tokens rotate on each use and that concurrent token usage triggers theft detection. SuperTokens automatically revokes sessions when replay attacks are detected. |
There was a problem hiding this comment.
You have not explained how you can actually test this out in this section
|
|
||
| **Rotate Refresh Tokens on Every Use** | ||
|
|
||
| Single-use refresh tokens nullify stolen credentials. If an attacker captures a refresh token, the next legitimate refresh invalidates it. SuperTokens enables rotation by default, detecting when both parties attempt to use the same token. |
There was a problem hiding this comment.
This is incorrect. Please refer to SuperTokens Rotating Refresh Token strategy with Access and Refresh Tokens
|
|
||
| **Log Token Theft Detection Events** | ||
|
|
||
| When SuperTokens detects refresh token reuse, it fires `onTokenTheftDetected`. Pipe these events to your SIEM or monitoring system. Token theft attempts indicate active attacks against your users, not just background noise. |
There was a problem hiding this comment.
Refer to the documentaion https://supertokens.com/docs/post-authentication/session-management/advanced-workflows/customize-error-handling in what mannerto handle the error
2 participants
Related Issue
Link to Google Doc
https://docs.google.com/document/d/19fwmOsrD9x9eRjhS2s7dc6hSiZ4Kmk9sy4_pbH3Ny-I/edit?tab=t.0
Checklist
Remaining TODOs