@perseidesjs/medusa-plugin-otp
Website|Medusa
A Medusa's plugin for implementing OTP.
Installation
1npm install @perseidesjs/medusa-plugin-otp
Usage
This plugin uses Redis under the hood, this plugin will also work in a development environment thanks to the fake Redis instance created by Medusa, remember to use Redis in production, by just passing the Copy to clipboard
redis_url option to the Copy to clipboardmedusa-config.js > projectConfig object.
Plugin configuration
You need to add the plugin to your Medusa configuration before you can use the OTPService. To do this, import the plugin as follows:
12345const plugins = [`medusa-fulfillment-manual`,`medusa-payment-manual`,`@perseidesjs/medusa-plugin-otp`,]
You can also override the default configuration by passing an object to the plugin as follows:
123456789101112const plugins = [`medusa-fulfillment-manual`,`medusa-payment-manual`,{resolve: `@perseidesjs/medusa-otp`,/** @type {import('@perseidesjs/medusa-plugin-otp').PluginOptions} */options: {ttl: 30, // In seconds, the time to live of the OTP before expirationdigits: 6, // The number of digits of the OTP (e.g. 123456)},},]
Default configuration
| Option | Type | Default | Description |
|---|---|---|---|
| ttl | Copy to clipboardNumber | Copy to clipboard60 | The time to live of the OTP before expiration |
| digits | Copy to clipboardNumber | Copy to clipboard6 | The number of digits of the OTP (e.g. 123456) |
How to use
In this example, we're going to override the current authentication system for the store (Copy to clipboard
/store/auth). The workflow we're going to implement is as follows:
- Extend the Customer model to add a new field called Copy to clipboard
otp_secret - When a Customer is created, generate a random secret and save it in the Copy to clipboard
otp_secretfield - When a Customer logs in, generate a new OTP
- Send an e-mail to the customer using a Copy to clipboard
Subscriberand the event used by the Copy to clipboardTOTPServiceincluded in the plugin. - Create a new route to verify and authenticate the Customer
- Extending the Customer model
First, we need to extend the Customer model to add a new field called Copy to clipboard
otp_secret.
12345678import { Customer as MedusaCustomer } from '@medusajs/medusa'import { Column, Entity } from 'typeorm'@Entity()export class Customer extends MedusaCustomer {@Column({ type: 'text' })otp_secret: string}
Don't to create the migration for this model :
1234567891011import { MigrationInterface, QueryRunner } from 'typeorm'export class AddOtpSecretToCustomer1719843922955 implements MigrationInterface {public async up(queryRunner: QueryRunner): Promise<void> {await queryRunner.query(`ALTER TABLE "customer" ADD "otp_secret" text`)}public async down(queryRunner: QueryRunner): Promise<void> {await queryRunner.query(`ALTER TABLE "customer" DROP COLUMN "otp_secret"`)}}
- Generating a secret
When a Customer is created, we need to generate a random secret and save it in the Copy to clipboard
otp_secret field.
For this, we're going to register a Copy to clipboard
Subscriber for the Copy to clipboardCustomerService.Events.CREATED event.123456789101112131415161718192021222324252627282930313233343536373839404142434445// src/subscribers/customer-created.tsimport { Logger, SubscriberArgs, SubscriberConfig } from '@medusajs/medusa'import type { TOTPService } from '@perseidesjs/medusa-plugin-otp'import { EntityManager } from 'typeorm'import CustomerService from '../services/customer'type CustomerCreatedEventData = {id: string // Customer ID}/*** This subscriber will be triggered when a new customer is created.* It will add an OTP secret to the customer for the sake of OTP authentication.*/export default async function setOtpSecretForCustomerHandler({data,container,}: SubscriberArgs<CustomerCreatedEventData>) {const logger = container.resolve<Logger>('logger')const activityId = logger.activity(`Adding OTP secret to customer with ID : ${data.id}`,)const customerService = container.resolve<CustomerService>('customerService')const totpService = container.resolve<TOTPService>('totpService')const otpSecret = totpService.generateSecret()await customerService.update(data.id, {otp_secret: otpSecret,})logger.success(activityId,`Successfully added OTP secret to customer with ID : ${data.id}!`,)}export const config: SubscriberConfig = {event: CustomerService.Events.CREATED,context: {subscriberId: 'set-otp-for-customer-handler',},}
- Override the /store/auth route
Now every customer who creates an account will have a unique key enabling him to generate unique OTPs for his account, we're now going to override the current auth route used by Medusa to generate an OTP for the customer instead of the default one.
12345678910111213141516171819202122232425262728293031323334353637383940414243444546// src/api/store/auth/route.tsimport {StorePostAuthReq,defaultStoreCustomersFields,validator,type AuthService,type MedusaRequest,type MedusaResponse,} from '@medusajs/medusa'import { defaultRelations } from '@medusajs/medusa/dist/api/routes/store/auth'import type { TOTPService } from '@perseidesjs/medusa-plugin-otp'import { EntityManager } from 'typeorm'import CustomerService from '../../../services/customer'export async function POST(req: MedusaRequest, res: MedusaResponse) {const validated = await validator(StorePostAuthReq, req.body)const authService: AuthService = req.scope.resolve('authService')const manager: EntityManager = req.scope.resolve('manager')const result = await manager.transaction(async (transactionManager) => {return await authService.withTransaction(transactionManager).authenticateCustomer(validated.email, validated.password)})if (!result.success) {res.sendStatus(401)return}const customerService: CustomerService = req.scope.resolve('customerService')const totpService: TOTPService = req.scope.resolve('totpService')const customer = await customerService.retrieve(result.customer?.id || '', {relations: defaultRelations,select: [...defaultStoreCustomersFields, 'otp_secret'],})const otp = await totpService.generate(customer.id, customer.otp_secret)const { otp_secret, ...rest } = customer // We omit the otp_secret from the response, you can also handle this in the CustomerServiceres.json({ customer: rest })}
Now whenever a customer logs in, it will no more register a connect_sid cookie, instead, it will generate a new OTP.
- Subscribing to the event
You can subscribe to the event Copy to clipboard
TOTPService.Events.GENERATED to be notified when a new OTP is generated, the key used here for example is the customer ID :123456789101112131415161718192021222324252627282930313233343536// src/subscribers/otp-generated.tsimport type { Logger, SubscriberArgs, SubscriberConfig } from "@medusajs/medusa";import { TOTPService } from "@perseidesjs/medusa-plugin-otp";import type CustomerService from "../services/customer";/*** Send the OTP to the customer whenever the TOTP is generated.*/export default async function sendTOTPToCustomerHandler({data,container}: SubscriberArgs<{ key: string }>) { // The key here is the customer IDconst logger = container.resolve<Logger>("logger")const customerService = container.resolve<CustomerService>("customerService")const customer = await customerService.retrieve(data.key).catch((e) => {// In case you are using multiple OTP, if it fails it means the key is invalid / not a customer IDlogger.failure(activityId, `An error occured while retrieving the customer with ID : ${data.key}!`)throw e})const activityId = logger.activity(`Sending OTP to customer with ID : ${customer.id}`)// Use your NotificationService here to send the OTP to the customer (e.g. SendGrid)logger.success(activityId, `Successfully sent OTP to customer with ID : ${customer.id}!`)}export const config: SubscriberConfig = {event: TOTPService.Events.GENERATED,context: {subscriberId: 'send-totp-to-customer-handler'}}
Your customer will now receive an OTP in their email, let's see how to verify it once it's consumed by your customer.
- Verifying the OTP
We're now going to create a new route to verify the OTP, this route will be called by the customer when they want to log in, we're going to use the Copy to clipboard
TOTPService to verify the OTP and authenticate the customer.
12345678910111213141516171819202122232425262728293031323334353637383940// src/api/store/auth/otp/route.tsimport { validator, type MedusaRequest, type MedusaResponse } from "@medusajs/medusa";import { IsEmail, IsString, MaxLength, MinLength } from "class-validator";import type { TOTPService } from "@perseidesjs/medusa-plugin-otp";import type CustomerService from "../../../../services/customer";export async function POST(req: MedusaRequest,res: MedusaResponse): Promise<void> {const validated = await validator(StoreVerifyOTP, req.body);const customerService = req.scope.resolve<CustomerService>("customerService");const totpService = req.scope.resolve<TOTPService>("totpService");const customer = await customerService.retrieveRegisteredByEmail(validated.email);const isValid = await totpService.verify(customer.id, validated.otp)if (!isValid) {res.status(400).send({ error: "OTP is invalid" });return}// Set customer id on session, this is stored on the server (connect_sid).req.session.customer_id = customer.id;res.status(200).json({ customer })}class StoreVerifyOTP {@IsString()otp: string;@IsEmail()email: string;}
Your customer is now authenticated, and the connect_sid cookie is set on the response.
More information
You can find the Copy to clipboard
TOTPService class in the src/services/totp.ts file.License
This project is licensed under the MIT License - see the LICENSE file for details
.png&w=3840&q=90)