Implement SMS OTP/2FA in Next.js with NextAuth and Plivo - code-examples -

This guide provides a step-by-step walkthrough for adding robust SMS-based Two-Factor Authentication (2FA) or One-Time Password (OTP) verification to your Next.js application using NextAuth.js for session management and Plivo for reliable SMS delivery.

We'll build a secure authentication flow where users log in with credentials (email/password) and, if 2FA is enabled, must verify their identity using a code sent via SMS before gaining full access. This enhances account security significantly. We will cover setting up the project, integrating Plivo, modifying the NextAuth flow, handling OTP logic, managing user 2FA settings, and deploying the application.

Technologies Used:

  • Next.js: React framework for full-stack web applications (App Router).
  • NextAuth.js (v5/beta): Authentication solution for Next.js, handling sessions, providers, and callbacks.
  • Plivo: Communications platform API for sending SMS messages.
  • Prisma: Next-generation ORM for database access (example uses PostgreSQL, adaptable to others).
  • Node.js: JavaScript runtime environment.
  • Tailwind CSS: Utility-first CSS framework (default with create-next-app).
  • (Optional) shadcn/ui: UI component library used in examples.

System Architecture:

mermaid
sequenceDiagram
    participant User
    participant Browser (Next.js Frontend)
    participant NextAuth Middleware
    participant NextAuth Callbacks (Server)
    participant Database (Prisma)
    participant Plivo API

    User->>Browser (Next.js Frontend): Enters Email/Password on /login
    Browser (Next.js Frontend)->>NextAuth Callbacks (Server): Submits Credentials via Server Action
    NextAuth Callbacks (Server)->>Database (Prisma): Verify User & Password
    alt User Found & Password Correct & 2FA Disabled
        NextAuth Callbacks (Server)->>Database (Prisma): Fetch User Data
        NextAuth Callbacks (Server)-->>Browser (Next.js Frontend): Create Session Cookie, Redirect to Dashboard
    else User Found & Password Correct & 2FA Enabled
        NextAuth Callbacks (Server)->>NextAuth Callbacks (Server): Generate OTP
        NextAuth Callbacks (Server)->>Database (Prisma): Store OTP Hash & Expiry for User
        NextAuth Callbacks (Server)->>Plivo API: Send OTP SMS to User's Phone
        Plivo API-->>User: Delivers SMS with OTP
        NextAuth Callbacks (Server)-->>Browser (Next.js Frontend): Redirect to /verify-otp page (with partial/pending state)
        User->>Browser (Next.js Frontend): Enters OTP on /verify-otp
        Browser (Next.js Frontend)->>NextAuth Callbacks (Server): Submits OTP via Server Action
        NextAuth Callbacks (Server)->>Database (Prisma): Fetch Stored OTP Hash for User
        NextAuth Callbacks (Server)->>NextAuth Callbacks (Server): Verify Submitted OTP against Stored Hash & Expiry
        alt OTP Correct
            NextAuth Callbacks (Server)->>Database (Prisma): Clear OTP Hash
            NextAuth Callbacks (Server)-->>Browser (Next.js Frontend): Establish Full Session, Redirect to Dashboard
        else OTP Incorrect/Expired
            NextAuth Callbacks (Server)-->>Browser (Next.js Frontend): Show Error on /verify-otp
        end
    else Invalid Credentials
         NextAuth Callbacks (Server)-->>Browser (Next.js Frontend): Show Error on /login
    end

    %% Subsequent Requests
    Browser (Next.js Frontend)->>NextAuth Middleware: Request Protected Route (e.g., /dashboard)
    NextAuth Middleware->>NextAuth Middleware: Check Session Cookie
    alt Valid Full Session
        NextAuth Middleware-->>Browser (Next.js Frontend): Allow Access
    else No/Invalid/Partial Session
        NextAuth Middleware-->>Browser (Next.js Frontend): Redirect to /login (or /verify-otp if pending)
    end

    %% Enable/Disable 2FA (Example on /profile page)
    User->>Browser (Next.js Frontend): Clicks Enable/Disable 2FA on /profile
    Browser (Next.js Frontend)->>NextAuth Callbacks (Server): Submits Request via Server Action
    NextAuth Callbacks (Server)->>Database (Prisma): Update user.twoFactorEnabled flag
    NextAuth Callbacks (Server)-->>Browser (Next.js Frontend): Confirm Success/Failure

Prerequisites:

  • Node.js (LTS version recommended) and npm/pnpm/yarn.
  • A Plivo account with available credits.
  • A Plivo phone number capable of sending SMS messages (purchased through the Plivo console).
  • A database instance (e.g., PostgreSQL, MySQL, SQLite). This guide uses PostgreSQL.
  • Basic understanding of Next.js, React, and asynchronous JavaScript.
  • (Optional) Familiarity with shadcn/ui for UI components, or adapt examples to your preferred library.

Final Outcome:

A Next.js application where users can:

  • Register and log in using email and password.
  • Optionally enable SMS-based 2FA on their profile.
  • Be prompted for an SMS OTP during login if 2FA is enabled.
  • Securely access protected dashboard routes only after successful primary login and OTP verification (if applicable).

1. Setting up the Project

Let's initialize a new Next.js project and install the necessary dependencies.

1.1 Create Next.js App:

Open your terminal and run:

bash
npx create-next-app@latest next-plivo-2fa --typescript --tailwind --eslint --app --src-dir --import-alias "@/*"
cd next-plivo-2fa

This command scaffolds a new Next.js project using the App Router, TypeScript, Tailwind CSS, and ESLint.

1.2 Install Dependencies:

Install NextAuth, Prisma, the Plivo SDK, and utility libraries:

bash
npm install next-auth@beta @auth/prisma-adapter prisma
npm install plivo-node bcrypt zod otp-generator
npm install -D @types/bcrypt @types/otp-generator
# Optional: If using shadcn/ui for UI components
# npx shadcn-ui@latest init
# npx shadcn-ui@latest add button input label
  • next-auth@beta: Core library for authentication. (Use beta for App Router compatibility).
  • @auth/prisma-adapter: NextAuth adapter for Prisma.
  • prisma: ORM for database interaction.
  • plivo-node: Official Plivo Node.js SDK.
  • bcrypt: Library for hashing passwords.
  • zod: Schema validation library.
  • otp-generator: Utility to generate secure OTPs.
  • @types/*: TypeScript definitions for development.

1.3 Initialize Prisma:

Set up Prisma for database management:

bash
npx prisma init --datasource-provider postgresql

This creates:

  • prisma/schema.prisma: Your database schema definition file.
  • .env: An environment file (Prisma adds DATABASE_URL).

1.4 Configure Environment Variables:

Open the .env file created in the root of your project and add the following variables. Obtain the Plivo credentials from your Plivo Console (Dashboard -> API Keys & Credentials).

bash
# .env

# Database (Prisma will add this during init - update with your actual connection string)
DATABASE_URL="postgresql://user:password@host:port/database?sslmode=require" # Example for PostgreSQL

# NextAuth Configuration
# Generate a strong secret. This is crucial for security.
# Any sufficiently long, random string will work.
# Example generation command (Linux/macOS with OpenSSL): openssl rand -base64 32
NEXTAUTH_SECRET="YOUR_NEXTAUTH_SECRET"
NEXTAUTH_URL="http://localhost:3000" # Use your production URL in deployment

# Plivo Credentials
PLIVO_AUTH_ID="YOUR_PLIVO_AUTH_ID"
PLIVO_AUTH_TOKEN="YOUR_PLIVO_AUTH_TOKEN"
PLIVO_PHONE_NUMBER="+1##########" # Your Plivo SMS-enabled number in E.164 format

# OTP Settings (Optional - Defaults can be set in code)
OTP_EXPIRY_MINUTES=5 # How long an OTP is valid

Explanation:

  • DATABASE_URL: Connection string for your database. Adjust based on your provider.
  • NEXTAUTH_SECRET: A random string used to encrypt JWTs and session cookies. Crucial for security. Generate a strong one and keep it secret.
  • NEXTAUTH_URL: The canonical URL of your application. Required by NextAuth, especially for callbacks and redirects.
  • PLIVO_AUTH_ID/TOKEN: Your Plivo API credentials. Keep these secret.
  • PLIVO_PHONE_NUMBER: The Plivo number used to send SMS.
  • OTP_EXPIRY_MINUTES: Defines the validity period for generated OTPs.

1.5 Define Database Schema:

Update prisma/schema.prisma to include fields required by NextAuth, Prisma Adapter, and our custom 2FA logic.

sql
// prisma/schema.prisma

generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider = "postgresql" // Or your chosen provider
  url      = env("DATABASE_URL")
}

model Account {
  id                String  @id @default(cuid())
  userId            String
  type              String
  provider          String
  providerAccountId String
  refresh_token     String? @db.Text
  access_token      String? @db.Text
  expires_at        Int?
  token_type        String?
  scope             String?
  id_token          String? @db.Text
  session_state     String?

  user User @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@unique([provider, providerAccountId])
}

model Session {
  id           String   @id @default(cuid())
  sessionToken String   @unique
  userId       String
  expires      DateTime
  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)

  // Custom field to track 2FA verification status within a session
  twoFactorVerified Boolean? @default(false)
}

model User {
  id            String    @id @default(cuid())
  name          String?
  email         String?   @unique
  emailVerified DateTime?
  image         String?
  password      String? // For Credentials provider
  accounts      Account[]
  sessions      Session[]

  // Custom Fields for 2FA
  phoneNumber       String?   @unique // Store user's verified phone number for OTP
  twoFactorEnabled  Boolean   @default(false)
  twoFactorSecret   String?   // Store hashed OTP or related secret
  twoFactorExpiry   DateTime? // Store OTP expiry timestamp
}

model VerificationToken {
  identifier String
  token      String   @unique
  expires    DateTime

  @@unique([identifier, token])
}

Key Changes:

  • Standard NextAuth models (Account, Session, User, VerificationToken).
  • Added password field to User for the Credentials provider.
  • Added custom fields to User:
    • phoneNumber: To store the user's validated phone number for sending OTPs.
    • twoFactorEnabled: Boolean flag to track if 2FA is active for the user.
    • twoFactorSecret: To store the hashed OTP temporarily during verification. Do not store the plain OTP.
    • twoFactorExpiry: Timestamp indicating when the current OTP expires.
  • Added twoFactorVerified field to Session: This flag within the active session indicates if the second factor has been successfully verified during the current login attempt.

1.6 Apply Database Migrations:

Generate and apply the initial database migration:

bash
npx prisma migrate dev --name init

This command:

  1. Creates SQL migration files based on your schema.prisma.
  2. Applies the migration to your database.
  3. Generates the Prisma Client based on your schema.

1.7 Project Structure Overview:

Your src directory should look something like this:

src/
├── app/                 # Next.js App Router pages and layouts
│   ├── api/             # API routes (including NextAuth catch-all)
│   ├── (auth)/          # Route group for auth pages (login, register, verify-otp)
│   │   ├── login/
│   │   ├── register/
│   │   └── verify-otp/
│   ├── (protected)/     # Route group for authenticated pages
│   │   ├── dashboard/
│   │   └── layout.tsx   # Layout protecting routes in this group
│   ├── layout.tsx       # Root layout
│   └── page.tsx         # Home page
├── components/          # Reusable UI components
│   ├── ui/              # (If using shadcn/ui) Generated components
│   └── auth/            # Authentication specific components
├── lib/                 # Utility functions, constants, Prisma client, etc.
│   ├── prisma.ts        # Prisma client instance
│   ├── actions.ts       # Server Actions
│   ├── auth.ts          # NextAuth configuration (main)
│   ├── auth.config.ts   # NextAuth configuration (callbacks, pages - used by middleware)
│   ├── plivo.ts         # Plivo client setup and functions
│   └── utils.ts         # General utility functions (e.g., OTP generation)
└── middleware.ts        # Next.js Middleware for route protection

This structure separates concerns, placing authentication pages in an (auth) group and protected pages in a (protected) group, managed by middleware and layouts.

2. Implementing Core Functionality (Authentication Flow)

Now, let's configure NextAuth, set up the Plivo client, and implement the core login, registration, and OTP verification logic.

2.1 Configure Prisma Client:

Create a singleton instance of the Prisma client.

typescript
// src/lib/prisma.ts
import { PrismaClient } from '@prisma/client';

declare global {
  // eslint-disable-next-line no-var
  var prisma: PrismaClient | undefined;
}

export const prisma = global.prisma || new PrismaClient();

if (process.env.NODE_ENV !== 'production') {
  global.prisma = prisma;
}

2.2 Configure Plivo Client:

Set up the Plivo client using credentials from environment variables.

typescript
// src/lib/plivo.ts
import * as plivo from 'plivo';

const authId = process.env.PLIVO_AUTH_ID;
const authToken = process.env.PLIVO_AUTH_TOKEN;
const plivoPhoneNumber = process.env.PLIVO_PHONE_NUMBER;

let plivoClient: plivo.Client | null = null;

if (!authId || !authToken || !plivoPhoneNumber) {
  // In production, log a clear error. In development, a warning is acceptable
  // as SMS might not be needed for all dev tasks.
  if (process.env.NODE_ENV === 'production') {
     console.error('Plivo credentials or phone number missing in environment variables. SMS sending will fail.');
     // Consider throwing an error here in production if SMS is absolutely critical
     // throw new Error('Plivo configuration is incomplete.');
  } else {
     console.warn('Plivo credentials or phone number missing. SMS functionality will be disabled/simulated.');
  }
} else {
  // Initialize client only if credentials are available
  plivoClient = new plivo.Client(authId, authToken);
}

export const sourcePhoneNumber = plivoPhoneNumber;

/**
 * Sends an SMS message using Plivo.
 * @param to The recipient's phone number in E.164 format.
 * @param text The message body.
 * @returns Promise resolving with the Plivo API response or rejecting with an error.
 */
export async function sendSms(to: string, text: string) {
  if (!plivoClient || !sourcePhoneNumber) {
    // Log error or simulate success in development
    if (process.env.NODE_ENV !== 'production') {
        console.log(`SIMULATING SMS to ${to}: ${text}`);
        // Return a shape similar to Plivo's success response for consistency
        return Promise.resolve({
             message: 'SMS simulated',
             messageUuid: ['simulated-uuid-' + Math.random().toString(36).substring(7)],
             apiId: 'simulated-api-id'
         });
    }
    // In production, this should ideally not be reached if the check above is strict,
    // but throw an error just in case.
    console.error('Plivo client not initialized or source number missing. Cannot send SMS.');
    throw new Error('SMS service is not configured.');
  }

  try {
    const response = await plivoClient.messages.create(
      sourcePhoneNumber, // src
      to,                // dst
      text               // text
    );
    // Avoid logging the entire response object in production if it contains sensitive info
    console.log('Message sent successfully via Plivo. Message UUID:', response.messageUuid);
    return response;
  } catch (error) {
    console.error('Error sending SMS via Plivo:', error);
    throw error; // Re-throw the error to be handled by the caller
  }
}

2.3 Configure NextAuth.js:

We need two configuration files for NextAuth v5: auth.config.ts (used by middleware) and auth.ts (main configuration).

First, define the extended Session and JWT types using module augmentation. This is typically done in auth.ts or a dedicated types file.

typescript
// src/lib/auth.ts (Add these declarations at the top or in a separate d.ts file)
import { DefaultSession } from 'next-auth';
import { JWT as NextAuthJWT } from 'next-auth/jwt';

// Extend Session type
declare module 'next-auth' {
  interface Session {
    twoFactorVerified?: boolean; // Add custom property
    user: {
      id: string; // Ensure id is always present
    } & DefaultSession['user']; // Keep default user properties
  }
}

// Extend JWT type
declare module 'next-auth/jwt' {
  interface JWT {
    twoFactorVerified?: boolean; // Add custom property
    id?: string; // Ensure id is present
  }
}

auth.config.ts (for Middleware):

This file contains configuration needed before the full NextAuth initialization, primarily for middleware checks.

typescript
// src/lib/auth.config.ts
import type { NextAuthConfig } from 'next-auth';
import { Session } from 'next-auth'; // Import base Session type
import { JWT } from 'next-auth/jwt'; // Import base JWT type

export const authConfig = {
  pages: {
    signIn: '/login', // Redirect users to `/login` if required
    // error: '/auth/error', // Optional: Custom error page
  },
  callbacks: {
    // This callback is crucial for protecting routes via Middleware
    authorized({ auth, request: { nextUrl } }) {
      const isLoggedIn = !!auth?.user;
      // Use the augmented Session type implicitly now
      const session = auth;
      const isTwoFactorVerified = session?.twoFactorVerified ?? false;
      const isOnDashboard = nextUrl.pathname.startsWith('/dashboard');
      const isOnVerifyOtp = nextUrl.pathname === '/verify-otp';

      if (isOnDashboard) {
        if (isLoggedIn) {
          // If user is logged in but hasn't completed 2FA for this session, redirect to verify
          if (session.user && !isTwoFactorVerified) {
             // console.log(""Middleware: User logged in but 2FA not verified. Redirecting to /verify-otp."");
             return Response.redirect(new URL('/verify-otp', nextUrl.origin));
          }
          // If logged in and 2FA verified (or not needed), allow access
          return true;
        }
        return false; // Redirect unauthenticated users to login page
      } else if (isOnVerifyOtp) {
        // Allow access to /verify-otp only if the user is logged in but hasn't verified 2FA yet
        return isLoggedIn && !isTwoFactorVerified;
      } else if (isLoggedIn) {
        // If logged in user tries to access login/register page, redirect appropriately
        if (nextUrl.pathname === '/login' || nextUrl.pathname === '/register') {
           if(!isTwoFactorVerified) {
              // If trying to access login/register while needing OTP verification, redirect to verify page
              // console.log(""Middleware: Logged in user needing 2FA tried accessing auth page. Redirecting to /verify-otp."");
              return Response.redirect(new URL('/verify-otp', nextUrl.origin));
           }
           // Otherwise (logged in and verified), redirect to dashboard
           // console.log(""Middleware: Logged in user tried accessing auth page. Redirecting to /dashboard."");
           return Response.redirect(new URL('/dashboard', nextUrl.origin));
        }
      }
      // Allow access to all other pages (like login, register, home) by default
      return true;
    },

    // JWT Callback: Called whenever a JWT is created or updated.
    async jwt({ token, user, trigger, session: updateSessionData }) {
        // Initial sign in
        if (user) {
            token.id = user.id;
            // IMPORTANT: Initially mark 2FA as NOT verified upon login,
            // even if the user has it enabled. Verification happens per-session.
            token.twoFactorVerified = false;
        }

        // If the session is updated (e.g., after successful OTP verification via unstable_update)
        if (trigger === ""update"" && updateSessionData?.twoFactorVerified) {
            token.twoFactorVerified = true;
             // console.log(""JWT Updated: 2FA verified status set to true."");
        }

        return token;
    },

    // Session Callback: Called whenever a session is checked.
    async session({ session, token }: { session: Session, token?: JWT }) {
      // Ensure the user ID and 2FA status from the token are added to the session object
      if (token?.id && session.user) {
        session.user.id = token.id;
      }
      if (token?.twoFactorVerified !== undefined) {
         session.twoFactorVerified = token.twoFactorVerified;
      } else {
         // Default to false if not present in token (shouldn't happen with jwt callback setup)
         session.twoFactorVerified = false;
      }
       // console.log(`Session Callback: User ID: ${session.user?.id}, 2FA Verified: ${session.twoFactorVerified}`);
      return session; // Return the augmented session object
    }
  },
  providers: [], // Add providers in auth.ts, keep empty here for middleware compatibility
  session: { strategy: 'jwt' }, // Use JWT strategy for session management
} satisfies NextAuthConfig;

auth.ts (Main Configuration):

This file includes providers and the main logic.

typescript
// src/lib/auth.ts
import NextAuth from 'next-auth';
import Credentials from 'next-auth/providers/credentials';
import { PrismaAdapter } from '@auth/prisma-adapter';
import bcrypt from 'bcrypt';
import { z } from 'zod';

import { prisma } from '@/lib/prisma';
import { authConfig } from './auth.config'; // Import base config
import { sendSms } from './plivo';
import { generateOtp, verifyOtp } from './utils'; // OTP utilities defined in Sec 2.5
import { User } from '@prisma/client'; // Import User type

// Module augmentation for Session/JWT types (already shown above)
// --- Add the declare module blocks here if not in a separate file ---

// Schema for the initial login form (Email/Password only)
const LoginSchema = z.object({
  email: z.string().email({ message: 'Invalid email format.' }),
  password: z.string().min(1, { message: 'Password is required.' }), // Min 1, actual length check is via bcrypt
});

export const {
  handlers: { GET, POST },
  auth,
  signIn,
  signOut,
  unstable_update // Use unstable_update for modifying session state
} = NextAuth({
  ...authConfig, // Spread the base config (pages, session strategy, basic callbacks)
  adapter: PrismaAdapter(prisma),
  providers: [
    Credentials({
      async authorize(credentials) {
        try {
          const parsedCredentials = LoginSchema.safeParse(credentials);

          if (!parsedCredentials.success) {
            console.warn(""Credential parsing failed:"", parsedCredentials.error.flatten());
            return null; // Invalid input format
          }

          const { email, password } = parsedCredentials.data;

          // console.log(`Attempting login for email: ${email}`);
          const user = await prisma.user.findUnique({ where: { email } });

          if (!user || !user.password) {
            // console.log(""User not found or password not set."");
            return null; // User not found or doesn't use password auth
          }

          const passwordsMatch = await bcrypt.compare(password, user.password);

          if (!passwordsMatch) {
            // console.log(""Password mismatch for user:"", email);
            return null; // Incorrect password
          }

          // console.log(`User ${email} authenticated successfully (primary).`);

          // --- 2FA Check ---
          if (user.twoFactorEnabled && user.phoneNumber) {
            // console.log(`2FA enabled for user ${email}. Generating OTP.`);
            const otp = generateOtp(); // Generate OTP (defined in Sec 2.5)
            const otpExpiry = new Date(Date.now() + (parseInt(process.env.OTP_EXPIRY_MINUTES || '5') * 60 * 1000));
            const otpHash = await bcrypt.hash(otp, 10); // Hash the OTP before storing

            // Store hashed OTP and expiry in DB
            await prisma.user.update({
              where: { id: user.id },
              data: {
                twoFactorSecret: otpHash,
                twoFactorExpiry: otpExpiry,
              },
            });
             // console.log(`Stored OTP hash for user ${user.id}. Expiry: ${otpExpiry}`);

            // Send OTP via Plivo
            try {
               await sendSms(user.phoneNumber, `Your verification code is: ${otp}. It expires in ${process.env.OTP_EXPIRY_MINUTES || 5} minutes.`);
               // console.log(`OTP SMS potentially sent to ${user.phoneNumber}`); // Use 'potentially' due to simulation possibility
            } catch (smsError: any) {
               console.error(`Failed to send OTP SMS to ${user.phoneNumber}:`, smsError.message || smsError);
               // Throw a specific error that can be caught by the authenticate action
               // This will result in a CallbackRouteError in NextAuth
               throw new Error(""Failed to send verification code. Please try again later."");
            }

            // IMPORTANT: Return the user object here.
            // The JWT callback will set `twoFactorVerified = false` initially.
            // The `authorized` callback in middleware will then force the redirect to /verify-otp.
            // console.log(""Returning user object to signal pending 2FA verification."");
            return user;

          } else {
            // 2FA not enabled, proceed with normal login
            // console.log(`2FA not enabled for user ${email}. Proceeding with login.`);
            // Clear any potentially stale OTP data
            if(user.twoFactorSecret || user.twoFactorExpiry) {
               await prisma.user.update({
                  where: { id: user.id },
                  data: { twoFactorSecret: null, twoFactorExpiry: null },
               });
            }
            // The JWT callback will run, but the middleware won't redirect to /verify-otp
            // because the user object doesn't require it (or 2FA is disabled).
            // The session callback will set twoFactorVerified based on the token (which defaults based on this path).
            return user; // Return full user object
          }

        } catch (error) {
           // Catch errors from within authorize (e.g., the SMS sending error)
           console.error(""Error during authorization:"", error);
           // Re-throw the error if it's one we want to surface (like the SMS failure)
           if (error instanceof Error && error.message.startsWith(""Failed to send"")) {
               throw error; // Ensure this specific error propagates to AuthError
           }
           // For other errors (Zod, DB issues during OTP storage), return null to indicate failure
           return null;
        }
      },
    }),
    // ... other providers like Google, GitHub, etc. if needed
  ],
  // Callbacks are already defined in authConfig and spread above
});

Key Points in auth.ts:

  • Uses PrismaAdapter to sync NextAuth state with the database.
  • Implements the Credentials provider with email/password validation (LoginSchema).
  • Verifies the password using bcrypt.compare.
  • 2FA Logic:
    • Checks user.twoFactorEnabled.
    • If enabled: generates OTP, hashes it, stores hash/expiry, sends SMS via sendSms.
    • Crucially, returns the user object. The JWT/Session/authorized callbacks handle the subsequent flow (setting twoFactorVerified: false and redirecting).
    • Handles errors during SMS sending by throwing an error that signIn catches as CallbackRouteError.
  • If 2FA is not enabled, it clears any old OTP data and returns the user object, allowing login to proceed normally.
  • Module augmentation is used to define custom session/JWT properties (twoFactorVerified).

2.4 Configure Middleware:

Create the middleware file to protect routes based on the authorized callback in auth.config.ts.

typescript
// src/middleware.ts
import NextAuth from 'next-auth';
import { authConfig } from '@/lib/auth.config'; // Use the specific config for middleware

// Initialize NextAuth with the specific config for middleware checks
const { auth: middleware } = NextAuth(authConfig);

export default middleware; // Export the auth handler

// Matcher configuration: Apply middleware to relevant paths
export const config = {
  // Apply middleware logic to these paths.
  // The `authorized` callback determines access/redirects.
  matcher: [
     '/dashboard/:path*', // Protect all dashboard routes
     '/verify-otp',      // Manage access to the OTP verification page
     '/login',           // Apply logic to redirect logged-in users
     '/register',        // Apply logic to redirect logged-in users
     // Exclude API routes, Next.js static files, and image optimization files
     // Ensure this doesn't accidentally exclude your auth pages if they aren't listed above
     '/((?!api|_next/static|_next/image|favicon.ico).*)',
  ],
};

// Explanation of Matcher:
// - Explicitly lists key routes (/dashboard*, /verify-otp, /login, /register) where auth logic is important.
// - Uses a negative lookahead `(?!...)` to exclude common static/API paths.
// - The final broad matcher `.*` ensures the middleware runs on other pages not explicitly excluded,
//   allowing the `authorized` callback to handle redirects (e.g., logged-in user visiting `/`).
// Adjust the matcher based on your specific public/private route structure if needed.

2.5 Implement OTP Utilities:

Create utility functions for generating and verifying OTPs.

typescript
// src/lib/utils.ts
import otpGenerator from 'otp-generator';
import bcrypt from 'bcrypt';
import { prisma } from './prisma';

/**
 * Generates a secure numeric OTP.
 * @param length The desired length of the OTP (default: 6).
 * @returns A string containing the generated OTP.
 */
export function generateOtp(length: number = 6): string {
  return otpGenerator.generate(length, {
    upperCaseAlphabets: false,
    lowerCaseAlphabets: false,
    specialChars: false,
    digits: true,
  });
}

/**
 * Verifies a submitted OTP against the stored hash for a user.
 * Also clears the OTP data on successful verification or if expired.
 * @param userId The ID of the user attempting verification.
 * @param submittedOtp The OTP code entered by the user.
 * @returns Promise resolving to true if OTP is valid and not expired, false otherwise.
 */
export async function verifyOtp(userId: string, submittedOtp: string): Promise<boolean&gt; {
  try {
    const user = await prisma.user.findUnique({
      where: { id: userId },
      select: { twoFactorSecret: true, twoFactorExpiry: true },
    });

    if (!user || !user.twoFactorSecret || !user.twoFactorExpiry) {
      // console.log(`Verification failed: No OTP data found for user ${userId}.`);
      return false; // No OTP data stored
    }

    // Check expiry first
    const isExpired = new Date() &gt; user.twoFactorExpiry;

    if (isExpired) {
      // console.log(`Verification failed: OTP expired for user ${userId}. Expiry: ${user.twoFactorExpiry}`);
      // Clear the expired OTP data for hygiene
      await prisma.user.update({
          where: { id: userId },
          data: { twoFactorSecret: null, twoFactorExpiry: null },
      });
      return false; // OTP expired
    }

    // Compare submitted OTP with the stored hash
    const isOtpValid = await bcrypt.compare(submittedOtp, user.twoFactorSecret);

    if (isOtpValid) {
       // console.log(`Verification successful for user ${userId}.`);
       // OTP is valid, clear it immediately after successful verification
       await prisma.user.update({
          where: { id: userId },
          data: { twoFactorSecret: null, twoFactorExpiry: null },
       });
       // console.log(`Cleared OTP data for user ${userId} after successful verification.`);
       return true; // OTP is valid
    } else {
       // console.log(`Verification failed: Submitted OTP does not match stored hash for user ${userId}.`);
       // Do not clear the OTP here, allow user to retry within expiry window.
       return false; // OTP is invalid
    }

  } catch (error) {
    console.error(`Error during OTP verification for user ${userId}:`, error);
    return false; // Return false on any unexpected error
  }
}

Frequently Asked Questions

Implement 2FA by integrating NextAuth.js for authentication, Plivo for SMS delivery, and Prisma for database management. This setup enables a secure login flow where users verify their identity with an OTP sent via SMS after entering their credentials, enhancing account security.
Plivo is the communications platform API used to send SMS messages containing the One-Time Passwords (OTPs) for two-factor authentication. It's a key component for delivering the verification codes to users' phones.
NextAuth.js uses JSON Web Tokens (JWT) to manage session state and store authentication information, including whether 2FA has been verified in the current session. This approach enhances security by encoding user data and verification status within the token itself.
Use SMS-based OTP authentication to enhance security when users log in with credentials. After initial login, if 2FA is enabled, an OTP is required before granting full access to protected resources like a dashboard.
Yes, Prisma supports multiple database providers including PostgreSQL, MySQL, and SQLite. While the example uses PostgreSQL, you can adapt the schema and database URL in `schema.prisma` and `.env` to your preferred database.
Configure the Plivo Node.js client by setting environment variables (`PLIVO_AUTH_ID`, `PLIVO_AUTH_TOKEN`, `PLIVO_PHONE_NUMBER`) with your Plivo credentials. The `sendSms` utility function in `plivo.ts` then handles sending SMS messages using these credentials.
Hashing the OTP with bcrypt before storing it in the database significantly enhances security by preventing the storage of sensitive information in plain text. Only the hash is stored, and the submitted OTP is compared against the hash for verification.
The `verifyOtp` utility function handles OTP expiry by comparing the current time to the stored `twoFactorExpiry` timestamp. If expired, it clears the OTP data and returns false, prompting the user to request a new code.
The provided code uses `next-auth@beta`, specifically for compatibility with the Next.js App Router and Server Actions. The beta version supports the latest features and conventions of the App Router.
The `middleware.ts` file configures route protection by checking the `twoFactorVerified` status within the session. If 2FA is enabled but not verified, the middleware redirects to the /verify-otp page.
The `twoFactorVerified` flag in both the session and JWT indicates whether a user has successfully completed 2FA for the current session. This ensures protected routes are only accessible after both credential and OTP verification.
The `generateOtp` utility function uses the `otp-generator` library to create secure, numeric OTPs of a specified length (default is 6 digits). This function ensures the randomness and format of the codes.
Two configurations (`auth.config.ts`, `auth.ts`) are used to accommodate Next.js middleware. `auth.config.ts` contains minimal callbacks and settings needed for early checks before full initialization in `auth.ts`.
If Plivo credentials are missing during development, the `sendSms` function logs a warning and simulates sending the SMS instead of throwing an error. This allows development to proceed without actual SMS delivery.