Skip to content

Engine: Auth - 2FA Email OTP #16

Closed as not planned
feat
Closed as not planned
Engine: Auth - 2FA Email OTP#16
feat
Assignees
ollieread
Labels
area: authAuthentication and authorisationlayer: engineBase framework and engine work
@ollieread

Description

@ollieread
ollieread
opened on Mar 5, 2026

Email OTP is a post-launch 2FA method that sends a one-time code to the user's verified email address as the second factor. It implements the TwoFactorProvider contract.

Flow

  1. When a 2FA challenge is triggered for a user with email OTP enabled, a short-lived numeric code is generated, hashed, and stored against the user with an expiry
  2. The raw code is sent to the user's verified email address
  3. The user submits the code at the 2FA validation endpoint
  4. The submitted code is verified against the stored hash and checked for expiry — on success the code is consumed and a RawToken is issued

A code that has expired or already been consumed cannot be used.

User Storage

Email OTP requires no additional configuration on the user — it uses the user's existing verified email address. A pending code table stores the hashed code, expiry, and consumed state per user.

Tasks

  • Implement EmailOtpProvider satisfying the TwoFactorProvider contract
  • Implement OTP code generation, hashing, and storage with expiry
  • Implement email dispatch for the OTP code
  • Implement OTP verification including expiry and consumed checks
  • Write tests for code generation and hashing
  • Write tests for verification including expiry and consumed code rejection

Metadata

Metadata

Assignees

Labels

area: authAuthentication and authorisationlayer: engineBase framework and engine work

Type

feat

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions