feature: include mfa in password reset flow#807
Conversation
| @@ -0,0 +1,445 @@ | |||
| package services | |||
There was a problem hiding this comment.
If refactoring, let's replace all 500 error message by INTERNAL_SERVER_ERROR 😄
| @@ -0,0 +1,445 @@ | |||
| package services | |||
|
|
|||
| import ( | |||
There was a problem hiding this comment.
Are you adding anything here? If so can you highlight the changes pls
| // MFA verification stage | ||
| if (stage === "mfa") { | ||
| return ( | ||
| <Card className="mx-auto w-full max-w-md"> |
There was a problem hiding this comment.
Is there not a reusable component for this already?
| const refreshSession = useRefreshSession(); | ||
| const [isValidated, setIsValidated] = useState(false); | ||
|
|
||
| // Flow state |
There was a problem hiding this comment.
Instead of the multiple hooks, can we use react hook form?
Also can we move some of the logic in its own hook?
Refacto token parsers Refacto token structs
internal/helpers/token.go
Outdated
| tokenString: accessToken, | ||
| allowedAudiences: []string{configuration.AudienceAccessToken}, | ||
| requireBearer: true, | ||
| errorMessage: "invalid access token", |
There was a problem hiding this comment.
do we need errorMessage and audienceError? Can we not put a generic message?
| // routeAudienceRules defines the security policy for restricted token access. | ||
| // Routes not listed here will reject restricted tokens entirely. | ||
| // This is the single source of truth for which audiences can access which endpoints. | ||
| var routeAudienceRules = []routeAudienceRule{ |
There was a problem hiding this comment.
How does this fit with what we have in internal/configuration/auth.go, can we have one source of truth?
My worry is that we forget to update one of the places as the project grows.
internal/configuration/auth.go
Outdated
| "/api/v1/auth/mfa/verify": { | ||
| {Path: "/api/v1/auth/mfa/verify", Method: "POST", RequireAuth: true}, | ||
| }, | ||
| } |
There was a problem hiding this comment.
Do we still need all this? It looks like there is auth rules everywhere and it's going to be hard to maintain...
|
2 participants
No description provided.