Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlog
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

EXAMPLE Email code verification, SMS verification, and 2FA (OTP) support

default discord avatar
bcksl8 months ago
4

Wondering if anybody has any examples of instrumenting the Payload local auth strategy more deeply or replacing it entirely.



- My use case absolutely requires that accounts are verified both by email and SMS before being considered "verified".


- Email verification by code rather than link would also be great, but is not absolutely mandatory.


- 2FA support with OTP and potentially other methods is also mandatory.


- Is it worth trying to use the Payload local auth strategy in these cases or should it just be replaced?


- Examples of any of these would be fantastic, as well as any existing code for doing 2FA of any kind, or generally having multiple steps for an account to be considered verified.



Thanks!



I'm going to go check out the current implementation and see what I can discover.



https://github.com/ilich/passport-2fa-totp

This takes care of the OTP login, which is a step in the right direction, but doesn't deal with having custom/multiple verification steps.



@364124941832159242

Do any of the extension points you mentioned allow hooking the

verify

API on an auth collection? That would certainly be a start, allowing you to provide a method which can be called with different params for the different steps (e.g. email, SMS as above). I believe that the email verification with code rather than link could then be done by using the existing method to override

verify.generateEmailHTML

. Same can then be done for

forgotPassword.generateEmailHTML

, if the

reset-password

API can be hooked. SMS verification might need a custom API route if requiring the ability to resend. Similarly, some fiddling would be required to allow the user to change their phone number after create but before verify, but it's doable.



Realistically, the other thing that would be nice is being able to specify the field(s) to be used to identify a user, which would allow having things like username or username + email for login.



Beyond that, we go into the territory of using

disableLocalStrategy

and setting up the verification, email, login, logout, etc. stuff as a combination of hooks, custom API routes, and either a custom passport auth strategy or a more suitable existing one such as above.

  • discord user avatar
    jmikrut
    2 years ago

    I don't think I've seen an example here yet but I am very interested in this for sure. I would say it'd be great to build in a way to extend our local auth strategy with other auth factors, wherein we could have a way to just "pass in" verification steps or similar



    we probably have about 80% of "extension points" needed for this, and would only need a few more

  • default discord avatar
    blazehazes2 years ago

    How did you get on with this

  • default discord avatar
    duda27712 years ago

    Hey, did you find a good solution in the end you could share with us? 🙂

  • default discord avatar
    zawoj9 months ago

    I made it, it's my first YouTube video so forgive me if it's not the best quality but I wanted to share it already and not edit it endlessly

    https://www.youtube.com/watch?v=Tpqt_q7KWPQ
Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.