-
Notifications
You must be signed in to change notification settings - Fork 1
Handling MFA Authentication
MFA Authentication is handled in a rather unexpected way. When authenticating, you get your Wilma2SID. Basics of signing in to Wilma. In addition to that, you'll need yet another session token, which is valid for 30 days. After that period, MFA procedure needs to be re-done.
When MFA is enabled, your LoginResult from homepage is mfa-required.
That is a sign of required MFA procedure. If your login page does not return user's JSON homepage, or you don't have FormKey field in that JSON, you should change sign-in URL from /index_json to /login.
POST Request to /api/v1/accounts/me/mfa/otp/check with following form-data body:
-
formkey: formkey from JSON homepage returned by /login, when you were signing in. -
payload: JSON string,{"otp": "000000", "sessionName": "<random_name_to_differenciate_mfa_sessions"}
Response (JSON):
{
"statusCode": 200,
"payload": {
"success": false
}
}If payload.success is true, MFA was completed successfully, and you should get a new cookie Wilma2MFASID.
Every further Wilma API requests should include that cookie. It will expire in 30 days, and MFA procedure needs to be done again.