npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

strapi-plugin-user-2fa

v0.0.5

Published

Plugin for Strapi Local auth to manage 2FA for users.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

redon2incredon2inc

Keywords

Readme

This Strapi plugin enhances the local authentication system by adding multi-factor authentication (MFA/2FA) support.

⚠️ BETA Release Notice This plugin is currently in BETA. In this initial release, MFA authentication is available via email only.

This token works by creating a temporary MFA token, and blocking login until the MFA + the OTP are provided.

Admin GUI

  • A new column is displayed in the User list view.

    strapi mfa user list

  • Once in the User edit view, a new section shows the MFA settings, with a CTA to edit the current configuration.

    strapi mfa edit strapi mfa modal strapi mfa disabled

Admin Plugin Settings

  • This plugin extends user-permissions email store.

    NOTE:

    Strapi's default Email Template view is hardcoded to only show two default templates. This plugin introduces a new view that allows you to edit both existing templates and newly created ones.

    strapi mfa disabled

  • As the plugin provides some User APIs, the admin can modify the permissions:

    During plugin initialization the Authenticated role will get access to read their own MFA registrations. Admin is able to allow roles to modify their own registrations the updateMyMFA action needs to be enabled.

    strapi mfa disabled

⚠️ Compatibility with Strapi versions

  • This plugin relies on Strapi5 new documentId. It will not work with earlier versions!
  • Works with local provider only.

⚙️ Installation

Install the Strapi MFA Plugin using one of the following commands:

npm install strapi-plugin-user-2fa
yarn add strapi-plugin-user-2fa

Config

You will need to have a working email provider in place.

This component relies on extending the user-permissions types.

Modify your plugins file config/plugin.ts to have the following:


  // ..other plugins
  "strapi-plugin-user-2fa": {
    enabled: true,
    config: {
      mfaTokenExpiresIn: "5m", // length of the mfa token to expire
      mfaTokenSecret: env("MFA_JWT_SECRET") || "SomethingSecret",
      forceMFA: true, // this setting enables MFA on user creation
    },
  },

NOTE

Strapi's NODE_ENV needs to be different than development otherwise the OTPs will be a static value.

API Usage:

User Authentication

If user has MFA configured and enabled the POST:/api/auth/local will return the following response:

{
  "mfaToken": "token..."
}

once the user retrieves the OTP the following API should be called:
POST:/api/auth/local/2fa with the following payload:

{
  "mfaToken": "mfaToken...",
  "mfaOTP": "OTPValue"
}

If the MFA token and the OTP are valid, the API will return

{
  "jwt": "NewAccessToken..",
  "user": {
    /* user object */
  }
}

User settings

A user with a valid token is able to query GET:/api/user-2fa/me to get a list of MFA registrations. the API response with the following:

[
  // list of registration objects
  {
    id: 1,
    documentId: 'nhsw180pg2oh86m40zs5n8ht',
    enabled: false,
    createdAt: '2025-03-16T02:37:52.236Z',
    updatedAt: '2025-03-16T03:38:28.100Z',
    publishedAt: '2025-03-16T03:38:28.097Z',
    locale: null,
    type: 'email',
    value: '[email protected]',
  },
];

User will be able to enable and or disable their own registrations using PATCH:/api/user-2fa/me/:documentId with the following payload:

{
  "data": {
    "enabled": true
  }
}

the API will return the following response:

[
  // list of registration objects
  {
    id: 1,
    documentId: 'nhsw180pg2oh86m40zs5n8ht',
    enabled: true,
    createdAt: '2025-03-16T02:37:52.236Z',
    updatedAt: '2025-03-16T03:38:28.100Z',
    publishedAt: '2025-03-16T03:38:28.097Z',
    locale: null,
    type: 'email',
    value: '[email protected]',
  },
];

🚀 TODO:

  • ✅ Verify compatibility with the refresh token plugin
  • 🔄 Future enhancements to support additional MFA methods (e.g., TOTP, SMS, authenticator apps)

Workflows:

  • API

    strapi mfa workflow

  • End to end

    strapi mfa workflow

  • Registration

    strapi mfa workflow