I decided to take a shot at writing a One-Time Password extension that sends the OTP via e-mail, providing multi-factor authentication by implementing it as a decorating authentication extension. I've got quite a bit of it written and mostly working, but I'm running into one behavior that I cannot figure out.
One of my criteria when implementing this extension was that the OTP communicated via e-mail should only be used one time - that is, as soon as it is used, it is invalidated and/or removed from the storage mechanism that tracks the OTPs for the user. Unfortunately this is causing an issue, because it seems that the decorate() method for the UserContext object gets called twice, which means the OTP validation happens twice. I'm not sure if this is because it's getting called to decorate both the Postgresql and Postgresql Shared authentication providers? I've gone through my code a few times to make sure that I'm not accidentally calling it multiple times, myself, and I'm not seeing that. So, my questions are: 1) Is this (multiple decorations/verifications during a single login) expected? 2) Assuming it is expected, any guidance on how to implement in a way that works with this? I suppose I could relax the requirement for only using it once and allow it to be used multiple times during the time it is valid, but ideally it would truly be a single-use password. Thanks - Nick
