Hello,
With the recently released change to require 2FA for new device verification for admins (Device verification & email 2FA - Ghost Changelog), I have encountered the 2FA requirement when using the admin API with user (session) authentication.
Specifically, when I try to create a session cookie, I get the error message “User must verify session to login”, code “2FA_NEW_DEVICE_DETECTED”. I duly receive the 2FA token via email. But how do I now authenticate with my token via the API? Can I POST the token to the session endpoint?
Many thanks.
Do you need to do session auth, or can you switch to using the jwt?
1 Like
I could never get a valid JWT token to generate using the bash script on Ghost Admin API Documentation - I always got an “invalid token” error from the API.
So I stopped there, but shouldn’t have - I just tried the Python code on the above page to generate a valid token, and it works.
Now I can switch to using the JWT. Thanks for the suggestion.
1 Like
I’m running into the same issue all of a sudden. 2FA emails are being sent for API calls with user authentication.
Cathy, we create a a process similar to what you did by creating an alternative login mechanism that uses an undocumented API end point. I believe we ended up with user authentication for the API calls because something in token auth was broken, but that’s just a loose recollection. Are you aware of a problem with token auth and the API using those endpoints?
Token auth for the signin URLs endpoint is working as far as I know — I patched it to do so late last year.
1 Like
My buddy is going to work on it in the morning. Appreciate the reply. He said he used user auth simply because it was easier (he doesn’t know his way around the Ghost interface). Fingers crossed.
User auth for the API is no doubt broken with whatever patch they put out in the last 48 hours. I did report this to support. I do agree with support that token access is better.
You may want to follow me. I try to point this stuff out when I learn of it. Here’s my warning from November of last year.