I took upon myself to add two-factor authentication to Rocket Chat for the DSA’s new deployment.

A straw poll on the chat confirmed that TOTP is the most urgent/important kind of two-factor, since it’s what Google Authenticator, 1Password and LastPass support, followed by U2F (well, really, I want U2F, I don’t know if anyone else care).

I cloned the RocketChat git repository and started poking around. It’s built on Meteor and uses Meteor’s Accounts module for authentication. Meteor has built in support for password-based auth, LDAP several OAuth providers but no two-factor built in.

I’m setting out to see if it’s possible to “hook in” to Meteor’s password authentication module (e.g., can I get a callback when a password is confirmed, but before the session is updated?). The documentation is pretty sparse, and it’s not clear which functions in Meteor are externally supported. If not, I’ll probably have to write a new password based login (cloned from the core one) that also does two factor. This, at least, is straight forward through the documented API with registerLoginHandler.

There is one example that I’m following, which doesn’t seem great, but at least manages to hook into Meteor.

As a starting point, I’m making a non-RocketChat simple app in order to walk through how authentication in Meteor works out of the box.