IxDF Developer Docs

Appearance

Additional password verification for sensitive functionality

General description

This functionality aims to protect users sensitive information against long running sessions or direct-login links, which may allow an unauthorized person to get access to that sensitive information.

This feature implements a second verification token that expires after some time, even if the users session is still alive. This way if the user doesn’t logout another person will not get access to password verification protected information because the verification will eventually expires. When that happens the user is required to enter her password again to get access to that protected information.

Verification expiration

When a member login with their password, they will get default (1h) verification session.

When a member impersonate through the admin panel, they will get extended (1day) verification session. This is so an administrator/support staff has access to all members pages.

When a member login using a direct-login link, they will stay unverified.

Route API (Middleware)

To protect any route with this addition password verification, you need to add the 'verify-session' middleware to the route, like this:

php
Route::group(['before' => ['auth.login', 'auth.member'], 'prefix' => 'members'], function () {
    //...
    Route::get('billing', [Member\MemberBillingController::class, 'show'])->name('member.billing.show')->middleware(['verify-session']);
    //...
});

This enables protection on this route, so when a member tries to access such route and they is unverified (that is, she used a direct login link or the verification expired), they will be redirected to the /verify page and asked for password, then they will be redirected back.

This behavior is simple and can protect pages, but it is not very useful for post/put/delete requests. When submitting a form to a verification protected route, for example, the user will be redirected to the verification page and then redirected back after verification, but the redirection does not know how to resubmit the form so the submission would fail.

In these cases a JavaScript API must be used to enforce verification before submitting the form so that when the form is submitted the code knows the member is verified.

JavaScript API

This is implemented by the module sessionVerifier.

The module exposes the method requireUpToDateSession which takes two callbacks as parameters. The first is called when the verification succeeded and the second is called when the verification request is answered, whether it was verified or not.

text
const onVerifiedCallback = () => {
  // Put here the code the be executed when the verification succeeded
};
const onSuccessRequestCallback = () => {
  // Put code that must be executed always here, not matter the verification succeeded or not
};
SessionVerifier.requireUpToDateSession(
    onVerifiedCallback,
    onSuccessRequestCallback
);

What the method does is to check if the member is verified. If they is not, a modal is displayed asking for the password and then the module tries to verify the member. If the verification succeeded, the first callback is called.

If you have a link or button that you want to block without verification then add the data attribute data-require-verify to it. Such links will be intercepted by code in our app.js, which will require verification using the JavaScript API described above before performing the required action. This avoids a redirection to the verification page if the member is not verified, leading to a more fluid user experience.

Back-end API