Best Practice for Creating and Admin-Initiated User Creation Flow w/MFA

[petergoldstein]

I'd like to support an administrative invitation flow in my application. Specifically:

1. A user in my application who has certain privileges can invite another user to the application by specifying an email address
2. This triggers a "verify" email and subsequent flow, wherein an email with a verification link is sent to the invited email address.
3. On clicking the verify email, the invited user has the ability to set their own password
4. Once they've set their password, they are prompted to configure an MFA method (in my case, SMS codes)
5. They MUST configure the MFA method before gaining access to the application
6. Once they've configured the MFA method they can log in (using two factors) and access the app.

I think I can do the first couple of steps with:

1. Setting :internal_request, :verify_user, and :sms_codes in my RodauthMain configuration
2. Setting verify_account_set_password? true in my RodauthMain configuration
3. Using RodauthApp.rodauth.create_account(login: <email>) to trigger the account creation and sending of the verification email.

Is that right? And the recommended method of accomplishing this?

Now starting on step 4, how can I require that they configure MFA as a requirement? Do I do a redirect to the Manage MFA endpoint in the routes if rodauth.logged_in? && !rodauth.uses_two_factor_authentication?

Note, since there's been some discussion of devise-invitable elsewhere, this is essentially the flow supported by devise-invitable. Very useful in a multi-tenant SaaS application. I think a write up in the documentation would be valuable.

[janko]

Yes, what you described sounds like a good approach to me 👍🏻 For requiring the user to configure MFA, Rodauth already provides #require_two_factor_setup method for that, so you can call rodauth.require_two_factor_setup if rodauth.logged_in? at the start of the request.

It would definitely be useful to have a wiki page showing how to implement invites. Feel free to add one, the wiki is publicly editable 🙂

[petergoldstein]

I've got this working it my app, albeit I had to include a clear_query_cache as noted in #204. I'll try and document in the wiki shortly.