AshAuthentication.Phoenix.LiveSession.RequireTotp (ash_authentication_phoenix v3.0.0-rc.6)

View Source

A LiveView on_mount hook that enforces TOTP two-factor authentication.

This module provides an on_mount hook that checks if the current user has TOTP configured and redirects to the setup page if not.

Behaviour When No User Is Present

When there is no authenticated user (i.e., socket.assigns[:current_user] is nil), this hook returns {:cont, socket} without modification. It does not redirect or halt the LiveView mount.

This design allows the hook to be used in live sessions that may or may not have an authenticated user. For routes that require authentication, use this hook after your authentication hook to ensure a user exists before checking TOTP configuration.

Usage

Add the hook to your live_session in the router:

live_session :require_totp,
  on_mount: [
    {AshAuthentication.Phoenix.LiveSession, :default},
    {AshAuthentication.Phoenix.LiveSession.RequireTotp, :require_totp}
  ] do
  live "/secure", SecureLive
end

Or use the require_totp/1 function in your own on_mount callback:

defmodule MyAppWeb.RequireTotpHook do
  alias AshAuthentication.Phoenix.LiveSession.RequireTotp

  def on_mount(:default, params, session, socket) do
    RequireTotp.require_totp(socket,
      setup_path: "/settings/security/2fa",
      error_message: "Please set up two-factor authentication"
    )
  end
end

Options

  • :current_user_assign - The assign key for the current user. Defaults to :current_user.

  • :setup_path - The path to redirect to for TOTP setup. Defaults to "/auth/totp/setup".

  • :error_message - The flash message to show when redirecting. Defaults to "Two-factor authentication required".

  • :strategy - The name of the TOTP strategy. Defaults to the first TOTP strategy found on the resource.

Summary

Functions

on_mount(arg1, params, session, socket)

LiveView on_mount callback that requires TOTP configuration.

require_totp(socket, opts \\ [])

Checks if the current user has TOTP configured and redirects if not.

totp_configured?(socket, opts \\ [])

Returns true if the current user has TOTP configured.

Functions

on_mount(arg1, params, session, socket)

LiveView on_mount callback that requires TOTP configuration.

Can be configured with a tuple in the live_session:

on_mount: [{AshAuthentication.Phoenix.LiveSession.RequireTotp, :require_totp}]

Or with options:

on_mount: [{AshAuthentication.Phoenix.LiveSession.RequireTotp,
            {:require_totp, setup_path: "/custom/setup"}}]

require_totp(socket, opts \\ [])

@spec require_totp(
  Phoenix.LiveView.Socket.t(),
  keyword()
) :: {:cont, Phoenix.LiveView.Socket.t()} | {:halt, Phoenix.LiveView.Socket.t()}

Checks if the current user has TOTP configured and redirects if not.

Returns {:cont, socket} if TOTP is configured, or {:halt, socket} with a redirect if not.

Options

  • :current_user_assign - The assign key for the current user. Defaults to :current_user.

  • :setup_path - The path to redirect to for TOTP setup.

  • :error_message - The flash message to show when redirecting.

  • :strategy - The name of the TOTP strategy.

totp_configured?(socket, opts \\ [])

@spec totp_configured?(
  Phoenix.LiveView.Socket.t(),
  keyword()
) :: boolean()

Returns true if the current user has TOTP configured.

This is a convenience function for use in LiveView templates:

<%= if totp_configured?(@socket) do %>
  <span>2FA enabled</span>
<% end %>