On Fri, Jun 30, 2023 at 11:13 AM Nick Couchman <vn...@apache.org> wrote: > > I decided to take a shot at writing a One-Time Password extension that > sends the OTP via e-mail, providing multi-factor authentication by > implementing it as a decorating authentication extension. I've got > quite a bit of it written and mostly working, but I'm running into one > behavior that I cannot figure out. > > One of my criteria when implementing this extension was that the OTP > communicated via e-mail should only be used one time - that is, as > soon as it is used, it is invalidated and/or removed from the storage > mechanism that tracks the OTPs for the user. Unfortunately this is > causing an issue, because it seems that the decorate() method for the > UserContext object gets called twice, which means the OTP validation > happens twice. I'm not sure if this is because it's getting called to > decorate both the Postgresql and Postgresql Shared authentication > providers? I've gone through my code a few times to make sure that I'm > not accidentally calling it multiple times, myself, and I'm not seeing > that. > > So, my questions are: > 1) Is this (multiple decorations/verifications during a single login) > expected? > 2) Assuming it is expected, any guidance on how to implement in a way > that works with this? I suppose I could relax the requirement for only > using it once and allow it to be used multiple times during the time > it is valid, but ideally it would truly be a single-use password. >
Perhaps this is similar to the issue faced in GUACAMOLE-1780? -Nick