Allow TOTP Auth to persist between between browser restarts?

[kingpalethe]

Thanks for this awesome library which is so much more complete that Devise!

Using rodauth-rails, I am finding that whenever a user closes and re-opens his/her browser, rodauth demands the TOTP code.

This might be a best practice, but in our case we are using the TOTP elsewhere in our application so this behavior is redundant.

Is there a way to tell rodauth to NOT delete the TOTP authorization on browser restart?

Also, is there a configuration setting for "how long" the TOTP authorization will persist for?

I've tested this both with Brave and Firefox.

I do see the docs on "session expiration" here: https://rodauth.jeremyevans.net/rdoc/files/doc/session_expiration_rdoc.html -- but TOTP-authorization seems to be a separate issue, because I can see that my user does NOT get "completely logged out" when the web browser restarts, only the user DOES get back into the "need to enter TOTP" status when the browser restarts....

thanks!

[janko]

You could configure Rodauth to automatically consider remembered users as two-factor-authenticated. This is what I have configured in my Rails demo app:

# automatically remember logged in accounts, unless they're expected to authenticate with 2nd factor
after_login { remember_login unless uses_two_factor_authentication? && !two_factor_authenticated? }
# in that case, remember them only after they've authenticated with 2nd factor
after_two_factor_authentication { remember_login }
# when remembering accounts, consider them two-factor-authenticated 
after_load_memory { two_factor_update_session("totp") if uses_two_factor_authentication? }

[kingpalethe]

Great, just tested this strategy, works well!

[janko]

Really appreciate the donation ❤️