Topics created by jogiprasadpakki

Hiya,

It seems you are asking how to allow a user to use MFA at all times, except when they are changing their password. That would seem to me to be exactly the right time to require MFA, but maybe I'm missing something.

The 242 return code is documented here.

If you are determined to avoid TOTP when someone is changing their password, you could write your own password change page and turn off MFA for the user when you notice they are changing their password. Then, once they've succeeded, you could turn it on again.

Hope that helps.

@peter-netbal

I would like to know whats the best / recommended practice in this case...

I'm a former consultant, so the answer is "it depends". It depends on how many applications you have and what you are using the verified attribute for.

There is no way to register the user and the registration in one step unless you send the emails outside of FusionAuth. You can of course update the user via the API to have verified true when someone verifies their registration, perhaps by listening to a webhook: https://fusionauth.io/docs/v1/tech/events-webhooks/events#user-registration-verified and with skipVerification set to true.

I also wonder why you need to have both the user object and the register object set the value of verified to true. Can you have your application read just one of those values? Or are you looking to have things consistent between the two objects?

That was the same things happens with me.

I don't believe there's any way to find the expiry of a changePasswordId.

You could:

keep track of it yourself, since you know when you started the flow and you know how long the id is good for (it is in the tenant settings, I believe). build your own request password flow and just use this call: https://fusionauth.io/docs/v1/tech/apis/users#change-a-users-password with the loginId and an API key just try to change it and if you get a 404, redisplay the reset password flow. This is the default option.