Skip to main content

Protecting API routes

caution
  • SuperTokens is not yet optimised for 2FA implementation, so you have to add a lot of customisations for it to work. We are working on improving the development experience for 2FA as well as adding more factors like TOPT. Stay tuned.
  • A demo app that uses the pre built UI can be found on our GitHub.

In the previous steps, we saw the a session is created after the first factor, with SecondFactorClaim set to false, and then after the second factor is completed, we update that value to true.

Protecting all APIs#

We want to protect all the application APIs such that they are accessible only when SecondFactorClaim is true - indicating that the user has completed 2FA. We can do this by by overriding the getGlobalClaimValidators function in the Session recipe.

import Session from "supertokens-node/recipe/session";
Session.init({    override: {        functions: (oI) => {            return {                ...oI,                getGlobalClaimValidators: (input) => [                    ...input.claimValidatorsAddedByOtherRecipes,                    SecondFactorClaim.validators.hasValue(true),                ],            };        },    }})

Protecting specific API routes#

If instead, you want to enforce 2FA just on certain API routes, you can add the validator only when calling the verifySession function:

import express from "express";import { verifySession } from "supertokens-node/recipe/session/framework/express";import { SessionRequest } from "supertokens-node/framework/express";
let app = express();
app.post("/like-comment", verifySession({    overrideGlobalClaimValidators: (globalValidators) => [        ...globalValidators,         SecondFactorClaim.validators.hasValue(true),    ]}), (req: SessionRequest, res) => {    //....});
important

If the SecondFactorClaim claim validator fails, then the SDK will send a 403 response.

Which frontend SDK do you use?
supertokens-web-js / mobile
supertokens-auth-react