Two-Factor Authentication API
Secure your users' accounts with two-factor authentication (2FA). BRDZ supports TOTP-based 2FA using authenticator apps like Google Authenticator, Authy, or 1Password. Includes comprehensive audit logging via user_2fa_logs table.
Setup 2FA
Setup 2FA
Generate secret and QR code for 2FA setup. Creates or updates user_2fa_settings record with is_enabled=FALSE. Generates 8 backup codes. User scans QR code with authenticator app.
Request Body
{}Response
{
"success": true,
"data": {
"secret": "JBSWY3DPEHPK3PXP",
"qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...",
"backup_codes": [
"A1B2C3D4",
"E5F6G7H8",
"I9J0K1L2",
"M3N4O5P6",
"Q7R8S9T0",
"U1V2W3X4",
"Y5Z6A7B8",
"C9D0E1F2"
],
"manual_entry_key": "JBSWY3DPEHPK3PXP",
"issuer": "BRDZ SDK Dashboard",
"account_name": "user@example.com"
}
}{
"success": false,
"error": "2FA is already enabled. Disable it first to setup again."
}curl -X POST https://api.brdz.link/api/2fa/setup \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "x-api-key: YOUR_API_KEY"Enable 2FA
Enable 2FA
Enable 2FA after user has scanned QR code. Verifies TOTP token from authenticator app and sets is_enabled=TRUE in user_2fa_settings. Updates setup_completed_at timestamp.
Parameters
tokenstringrequired6-digit verification code from authenticator app
Request Body
{
"token": "123456"
}Response
{
"success": true,
"message": "2FA enabled successfully"
}{
"success": false,
"error": "2FA not setup. Please setup 2FA first."
}{
"success": false,
"error": "Invalid verification code"
}curl -X POST https://api.brdz.link/api/2fa/enable \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "x-api-key: YOUR_API_KEY" \
-d '{"token": "123456"}'Get 2FA Status
Get 2FA Status
Check 2FA status for current user from user_2fa_settings table. Returns setup and enablement status with timestamps and backup codes count.
Response
{
"success": true,
"data": {
"is_enabled": true,
"is_setup": true,
"setup_completed_at": "2024-01-15T10:30:00Z",
"last_used_at": "2024-01-15T12:45:00Z",
"backup_codes_count": 8
}
}{
"success": true,
"data": {
"is_enabled": false,
"is_setup": false,
"setup_completed_at": null,
"last_used_at": null,
"backup_codes_count": 0
}
}curl -X GET https://api.brdz.link/api/2fa/status \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "x-api-key: YOUR_API_KEY"Disable 2FA
Disable 2FA
Disable 2FA for current user. Requires both current 2FA token and password verification using bcryptjs. Sets is_enabled=FALSE in user_2fa_settings (keeps record for audit).
Parameters
tokenstringrequired6-digit verification code from authenticator app
passwordstringrequiredUser's current password for security verification
Request Body
{
"token": "123456",
"password": "currentPassword123"
}Response
{
"success": true,
"message": "2FA disabled successfully"
}{
"success": false,
"error": "Both verification token and password are required"
}{
"success": false,
"error": "Invalid password"
}curl -X POST https://api.brdz.link/api/2fa/disable \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "x-api-key: YOUR_API_KEY" \
-d '{
"token": "123456",
"password": "currentPassword123"
}'Get Backup Codes
Get Backup Codes
Retrieve backup codes for 2FA. Requires password verification using bcryptjs for security. Returns backup_codes array from user_2fa_settings table.
Parameters
passwordstringrequiredUser's current password for security verification
Request Body
{
"password": "currentPassword123"
}Response
{
"success": true,
"data": {
"backup_codes": [
"A1B2C3D4",
"E5F6G7H8",
"I9J0K1L2",
"M3N4O5P6",
"Q7R8S9T0",
"U1V2W3X4",
"Y5Z6A7B8",
"C9D0E1F2"
]
}
}{
"success": false,
"error": "Password is required to view backup codes"
}{
"success": false,
"error": "Invalid password"
}curl -X POST https://api.brdz.link/api/2fa/backup-codes \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "x-api-key: YOUR_API_KEY" \
-d '{"password": "currentPassword123"}'Verify 2FA for Login
Verify 2FA for Login
Verify 2FA token during login process. No authentication required. Updates last_used_at timestamp in user_2fa_settings. Used with /auth/complete-login endpoint.
Parameters
user_idnumberrequiredUser ID from initial login response
tokenstringrequired6-digit verification code from authenticator app
Request Body
{
"user_id": 123,
"token": "123456"
}Response
{
"success": true,
"message": "2FA verification successful"
}{
"success": false,
"error": "User ID and verification token are required"
}{
"success": false,
"error": "Invalid verification code"
}curl -X POST https://api.brdz.link/api/2fa/verify-login \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{
"user_id": 123,
"token": "123456"
}'Database Schema
Based on controller implementation, the following tables are used:
user_2fa_settings Table
- user_id (reference to users table)
- totp_secret (encrypted TOTP secret)
- backup_codes (array of 8 backup codes)
- is_enabled (boolean)
- setup_completed_at (timestamp)
- last_used_at (timestamp)
- created_at, updated_at (timestamps)
user_2fa_logs Table (Audit Trail)
- user_id (reference to users table)
- action (setup, enabled, disabled, verified, failed_verification, etc.)
- ip_address (client IP)
- user_agent (client browser/app)
- success (boolean)
- failure_reason (text, nullable)
- created_at (timestamp)
2FA Workflow
Setup Flow
- Setup: Call
/2fa/setupto get QR code and backup codes - Scan: User scans QR code with authenticator app (Google Authenticator, Authy, etc.)
- Enable: Call
/2fa/enablewith verification token to activate 2FA - Store: Securely save backup codes
Login Flow
- Login: Call
/auth/loginwith username/password - Check: If response has
requires_2fa: true - Verify: Call
/2fa/verify-loginwith user_id and 2FA token - Complete: Call
/auth/complete-loginto get JWT token
Security Features
Based on controller implementation:
- Password Verification: Required for disable and backup codes access
- Audit Logging: All 2FA activities logged to user_2fa_logs table
- IP Tracking: Client IP and User-Agent logged for security monitoring
- Token Window: 2-step time tolerance for TOTP verification
- Backup Codes: 8 backup codes generated (8 chars each, hex uppercase)
- Database Persistence: Settings kept for audit even when disabled
Error Handling
The controller logs all 2FA activities including failures:
// Failed verification logging
await log2FAActivity(user_id, 'failed_verification', false, 'Invalid token during enable', req);
// Successful operations logging
await log2FAActivity(user_id, 'enabled', true, null, req);
Based on TOTP standard (RFC 6238):
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Any TOTP-compatible app
- Password verification required for sensitive operations
- All activities logged for audit trail
- Backup codes should be stored securely offline
- Each backup code can only be used once
- Uses speakeasy library for TOTP generation/verification
- QR codes generated using qrcode library
- Password hashing verified with bcryptjs
- Database transactions ensure data consistency