Hey all! Quick update on some changes rolling out to the session APIs. We are currently putting the final touches on OAuth, which is going to fully replace the session management in atproto.

However, we decided to roll out an interim “Email 2FA” feature for some added security. The email auth factor is not applied to app password logins, so unless you’re asking users to input their primary credentials, you do not need to do anything to handle these cases. (Note: We highly recommend using app passwords for your clients.)

Here’s the effects this update had:

• We introduce emailAuthFactor?: boolean to the output of getSession and createSession to indicate to the client whether the user uses an email auth factor during login.
• If the user does use the email auth factor then given a proper identifier and password, createSession will throw an error AuthFactorTokenRequired indicating that an email has been sent to the user containing an auth token.
  • The createSession endpoint may then be hit again including both the password and auth token authFactorToken, which should successfully create the session.
• The updateEmail endpoint may be used to enable the email factor, passing emailAuthFactor: true.
  • Requires that the current email address has been confirmed.
  • In order to disable the auth factor, requires an email update token.

Again, the email auth factor is not applied to app password logins, so unless you’re asking users to input their primary credentials, you do not need to do anything to handle this update. You can see how we implemented these updates in our client here: bluesky-social/social-app#3602