How to determine if reauthentication is necessary when setting up Two-Factor Authentication in Headless API

[kagiya-n]

It is unclear when I should transition to the reauthenticate screen while setting up two-factor authentication.

If two-factor authentication is already set up, I can investigate the need for reauthentication by sending a GET request to "/_allauth/app/v1/account/authenticators/recovery-codes".

However, if I am setting up two-factor authentication for the first time, I may be asked to reauthenticate when I send a POST request to "/_allauth/app/v1/account/authenticators/totp", which can be redundant.
Is there a way to know this in advance?

[pennersr]

Suppose you check in advance -- given that there is always a bit of time between the check, and actually making use of the information you checked on, it may be the case that the information you were given is outdated by the time you are using it. So, you will always need to prepare for receiving a "reauthentication required" even if you were to check in advance.

Having said that, in the current session you can find the authentication methods, and the timestamp the method was used, see methods:

{
  "status": 200,
  "data": {
    "user": {
      "id": 123,
      "display": "Magic Wizard",
      "has_usable_password": true,
      "email": "[email protected]",
      "username": "wizard"
    },
    "methods": [
      {
        "method": "password",
        "at": 1711555057.065702,
        "email": "[email protected]",
        "username": "wizard"
      }
    ]
  },
  "meta": {
    "session_token": "ufwcig0zen9skyd545jc0fkq813ghar2",
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW",
    "is_authenticated": true
  }
}

You can use that to check in advance.

[kagiya-n]

Thank you for your response. I have implemented it to check the auth/session and reauthenticate if more than five minutes have passed.