{setsecret:username:password:code2fa}

Description

Generates a Google Authenticator two-factor (2FA) secret for the currently logged-in user, after re-checking that user's own credentials. It always returns an empty string (it produces no template output). Parameters in order: username, password, code2fa (the current 6-digit authenticator code). The command does nothing unless username and password are both non-empty, the credentials authenticate successfully, and the authenticated user is the SAME user who is already logged in - so a session can only re-confirm its own account, never set a secret for someone else. WARNING: in the current engine build this command is experimental and incomplete - on success it generates a secret and writes diagnostic text to the server output, but it does NOT persist the secret anywhere, so it has no lasting effect. To actually store a 2FA secret for a reader, use a slice field configured with the AA_2FASECRET field writer (see Reader Management / two-factor setup), not this expression. Because it depends on the live session and a real authenticator code, every call is runtime-dependent (never cached) and cannot be a deterministic test.

Parameters

username required default (none)

Login name of the user whose 2FA secret is being set. Must match an existing user, and must resolve to the SAME user who is currently logged in - you can only re-confirm your own account.

password required default (none)

Current password of that same user. Re-checked here so a logged-in session must prove the password again before a secret is generated. Stored content is never echoed.

code2fa optional default (empty)

The current 6-digit code from the user's authenticator app. Required only if the account already has a 2FA secret (then the code must verify); leave empty for an account that has none yet.

Examples

test[{setsecret:alice:s3cr3t:123456}]

Expected[]

Actual[]

The command never prints anything - it always returns the empty string, so wrapping it in brackets shows an empty result. Any visible effect (generating a 2FA secret) is a side effect for the logged-in user, not template output.

test[{setsecret:somebody:wrong-password:000000}]

Expected[]

Actual[]

Credentials that do not authenticate, or that belong to a different user than the one already logged in, fail the guard. The command returns empty and changes nothing - no error is shown.

test[{setsecret:::}]

Expected[]

Actual[]

Username and password are both required; with either one empty the command returns immediately. This is the safe default - an unfilled call does nothing.

virtual{setsecret:_#USERNAME:_#PASSWORD:_#CODE2FA}

Expected(empty; on a matching session generates a 2FA secret for the logged-in user)

How a template would call it for the logged-in user, feeding the username, the re-typed password, and the current authenticator code from form fields. Output is still empty; on a session that matches, it generates a 2FA secret. Runtime-dependent, so not asserted.

virtual{setsecret:alice:s3cr3t:{getcode2fa}}

Expected(empty; experimental - secret is generated but not saved)

In the current engine build this command generates a secret but does not store it, so it has no lasting effect. To actually save a reader 2FA secret, configure a slice field with the AA_2FASECRET field writer rather than calling this expression. Shown for reference; not asserted.

← All expressions