Add reverification for sensitive actions
Reverification allows you to prompt a user to verify their credentials before performing sensitive actions, even if they're already authenticated. For example, in a banking application, transferring money is considered a "sensitive action." Reverification can be used to confirm the user's identity.
How to require reverification
To implement reverification, you need to handle it both on the server- and client-side.
Handle reverification server-side
To handle reverification server-side, use the auth.has()
helper to check if the user has verified their credentials within a specific time period. Pass a configuration to set the time period you would like. If the user hasn't verified their credentials within that time period, return either reverificationError
or reverificationErrorResponse
, depending on the framework you're using. Use the following tabs to see examples for different frameworks.
The following example uses the has()
helper to check if the user has verified their credentials within a specific time period. The strict
configuration sets the time period to 10 minutes. If the user hasn't verified their credentials within 10 minutes, the reverificationError
utility is used to return an error.
The following example uses the has()
helper to check if the user has verified their credentials within a specific time period. The strict
configuration sets the time period to 10 minutes. If the user hasn't verified their credentials within 10 minutes, the reverificationErrorResponse
utility is used to return an error.
The following example uses the clerk_user_needs_reverification
helper to check if the user has verified their credentials within a specific time period. The moderate
configuration sets the time period to 1 hour. If the user hasn't verified their credentials within 1 hour, the clerk_render_reverification
utility is used to return a 403 forbidden
error that the client reads to initiate the reverification flow. Once the user completes the reverification on the client-side, they can access the foo
action, which returns a success response.
- For a JavaScript or Typescript framework that supports the Fetch API
Response
, use thereverificationErrorResponse
to trigger reverification. For example: - For a JavaScript or Typescript framework that provides its own utilities to handle responses, use
reverificationError
. For example: - Alternatively, if you're not using JavaScript or TypeScript, you can create a custom helper that returns the following JSON response (it's recommended to use a
403 Forbidden
status code in your response):
Handle reverification client-side
After setting up reverification on the server-side, you must handle reverification on the client-side.
The following example demonstrates how to use the useReverification()
hook to detect authorization errors and automatically display a modal that allows the user to verify their identity. Upon successful verification, the previously failed request is automatically retried.
Supported reverification configurations
To define the time period of the reverification check, you can pass the one of the following configurations to the has()
helper: strict_mfa
, strict
, moderate
, and lax
. See the has()
reference doc for more details.
Caveats
Before enabling this feature, consider the following:
- Available factors for reverification: Not all authentication factors are supported for reverification. The available options are:
- First factors: password, email code, phone code
- Second factors: phone code, authenticator app, backup code
- Graceful downgrade of verification level: If you request a
second_factor
ormulti_factor
level of verification but the user lacks a second factor available, the utilities automatically downgrade the requested level tofirst_factor
. - Eligibility for sensitive actions: Users without any of the above factors cannot reverify. This can be an issue for apps that don't require email addresses to sign up or have disabled email codes in favor of email links.
Feedback
Last updated on