two factor authentication login

[xu4wang]

My rocket chat server is always asking for an OTP from my email during the log in process.

How should I use the authentication API

https://github.com/abrom/rocketchat-ruby/blob/master/docs/authentication.md#login

for log in?

BR,Austin

[abrom]

Hi @xu4wang,

Good question, but not something I have knowledge of. Rocket.Chat documentation talks about this but I use a different method so it isn't something I've needed to worry about:

https://rocket.chat/docs/developer-guides/two-factor/rest-api/

and

https://rocket.chat/docs/developer-guides/two-factor/

In short it looks like it is expecting two extra headers. x-2fa-code and x-2fa-method.

I see two options:

1. Per the documentation, you can use a Personal Access Token. This of course does put a lot of trust in the token and where it's stored/who has access to it. It would be used in place of the user's password.

2. You're more than welcome to submit a pull request to add support for the fore-mentioned headers in the server login method. I suspect it'd look something like:

    def login(username, password, options = {})
      response = request_json(
        '/api/v1/login',
        method: :post,
        body: {
          username: username,
          password: password
        },
        headers: otp_headers(options)
      )
      Session.new self, Token.new(response['data'])
    end

    private

    def otp_headers(options)
      headers = {}
      headers['x-2fa-code'] = options[:two_factor_code] if options[:two_factor_code]
      headers['x-2fa-method'] = options[:two_factor_method] if options[:two_factor_method]
      headers
    end

Or something like that. But it'd also need some news tests to validate it, and it'd be good to have it validated against a real Rocket.Chat instance.

[xu4wang]

thank @abrom for quick update and the candidate solutions. I will evaluate the two options later.

[julienchabanon]

Do you have any update on this? This makes this gem pretty useless as TOTP is not disableable for new users. It is for admin tho with this ENV Accounts_TwoFactorAuthentication_Enforce_Password_Fallback set to false.
So we can only login as admin right now.

[abrom]

Not since my last reply. I listed two different ways that you can authenticate against a system with 2 factor.

From your comment it would seem likely you'd want the second option. I've listed the code that should allow for 2 factor. If you are able to test that it works, and can put together a PR to include it in the gem, I'd be more than happy to take a look

[abrom]

Any update on testing the proposed change @julienchabanon or @xu4wang ?

[MrRTi]

Per the documentation, you can use a Personal Access Token. This of course does put a lot of trust in the token and where it's stored/who has access to it. It would be used in place of the user's password.

If someone will need solution - you could create personal token in rocket chat and use it to get session

options = {}
server = RocketChat::Server.new(url, options)
token = RocketChat::Token.new(authToken: 'personal_access_token', userId: 'user_id')
session = RocketChat::Session.new(server, token)