--- title: MFA --- Enable of disable Multi-Factor Authentication (MFA) on the User account. - [Setup MFA](#setup-mfa) - [Confirm MFA](#confirm-mfa) - [Disable MFA](#disable-mfa) ## Endpoints Enabling, confirming, and disabling MFA is all possible via this endpoint: | Method | Path | Authentication | | --------: | :--- | :------------- | | | `/account/mfa/jwt` | [JSON Web Token](/reference/backend/api/authentication#jwt-authentication) | | | `/account/mfa/key` | [API Key & Secret](/reference/backend/api/authentication#key-authentication) | ## Setup MFA ### Request body | Property | Type | Description | | ----------: | :------- | :---------- | | `mfa` | `boolean`| Set to `true` to enable MFA | ### Response status codes Possible status codes for this endpoints are: | Status code | Description | | ----------: | :---------- | | | success | | | the request was malformed | | | authentication failed | | | access denied | | | server error | If the status code is not the `error` property in the response body should indicate the nature of the problem. ### Response body | Value | Type | Description | | -------------- | -------- | ----------- | | `result` | String | Either `success` or `error` | | `error` | String | Will give info on the nature of the error. Only set if an error occurred. | | `mfa.secret` | String | The shared secret for generating one-time password (OTP) tokens | | `mfa.otpauth` | String | The OTP Auth URI that is encoded in the QR code | | `mfa.qrcode` | String | SVG to display a QR code with the otpauth URI encoded | ##### Styling the SVG The SVG returned by the backend uses `currentColor` for the QR code, so you can style it with CSS if you embed it in the page. ### Example request ```js const mfa = await axios.post( 'https://backend.freesewing.org/account/mfa/jwt', { mfa: true }, { headers: { Authorization: `Bearer ${token}` } } ) ``` ### Example response ```200.json { "result": "success", "mfa": { "secret": "KBTSKUKRDJPEGCZK", "otpauth": "otpauth://totp/FreeSewing:user-294?secret=KBTSKUKRDJPEGCZK&period=30&digits=6&algorithm=SHA1&issuer=FreeSewing", "qrcode": "\n" } } ``` ## Confirm MFA To confirm the MFA, we need to provide an MFA token to ensure the user can generate them. ### Request body | Property | Type | Description | | ----------: | :------- | :---------- | | `mfa` | `boolean`| Must be set to `true` to confirm MFA | | `secret` | `boolean`| The secret returned when setting up MFA | | `token` | `boolean`| Must be set to `true` to confirm MFA | ### Response status codes Possible status codes for this endpoints are: | Status code | Description | | ----------: | :---------- | | | success | | | the request was malformed | | | authentication failed | | | access denied | | | server error | If the status code is not the `error` property in the response body should indicate the nature of the problem. ### Response body | Value | Type | Description | | -------------- | -------- | ----------- | | `result` | String | Either `success` or `error` | | `error` | String | Will give info on the nature of the error. Only set if an error occurred. | ### Example request ```js import { authenticator } from '@otplib/preset-default' const confirm = await axios.post( 'https://backend.freesewing.org/account/mfa/jwt', { mfa: true, secret: mfa.secret, token: authenticator.generate(mfa.secret) }, { headers: { Authorization: `Bearer ${token}` } } ) ``` ### Example response ```200.json { "result": "success", } ``` ## Disable MFA To disable MFA, you need to provide both the account password and a valid token. ### Request body | Property | Type | Description | | ----------: | :------- | :---------- | | `mfa` | `boolean`| Must be set to `false` to disable MFA | | `password` | `boolean`| The User's password | | `token` | `boolean`| Must be set to `true` to confirm MFA | ### Response status codes Possible status codes for this endpoints are: | Status code | Description | | ----------: | :---------- | | | success | | | the request was malformed | | | authentication failed | | | access denied | | | server error | If the status code is not the `error` property in the response body should indicate the nature of the problem. ### Response body | Value | Type | Description | | -------------- | -------- | ----------- | | `result` | String | Either `success` or `error` | | `error` | String | Will give info on the nature of the error. Only set if an error occurred. | ### Example request ```js import { authenticator } from '@otplib/preset-default' const confirm = await axios.post( 'https://backend.freesewing.org/account/mfa/jwt', { mfa: false, password: "I like big bewbs and I just can't lie", token: authenticator.generate(mfa.secret) }, { headers: { Authorization: `Bearer ${token}` } } ) ``` ### Example response ```200.json { "result": "success", } ```