Skip to content
Cobalz Affiliate

Two-factor authentication

Cobalz supports TOTP-based 2FA for both merchant and affiliate accounts. The merchant-side path uses Supabase Auth's built-in MFA; the affiliate side uses a hand-rolled RFC 6238 implementation with one-shot recovery codes (since affiliates and merchants live in different table layouts).

Enroll a merchant account

  • Sign in to your merchant dashboard.
  • Sidebar → My account · 2FA (or visit /u/security).
  • Click Set up 2FA. Scan the QR with Google Authenticator, 1Password, Authy, etc.
  • Enter the 6-digit code to confirm; 2FA is now on.

Backed by Supabase Auth's native MFA: factors live in the auth.mfa_factors table; we never see your secret. Sign-out + sign-in flow uses the AAL2 step-up dance Supabase provides.

Enroll an affiliate account

  • Sign in to your affiliate portal at /a/<merchant-slug>.
  • Sidebar → Settings → Security (visible after sign-in).
  • Click Set up 2FA. Scan the QR.
  • Confirm with a 6-digit code. You'll see 10 recovery codes — save them.
Note:Recovery codes are SHA-256 hashed in the database and shown to you exactly once. Each can be used once if you lose access to your authenticator. We can't recover them for you afterwards.

Sign-in flow

After password auth, accounts with 2FA enrolled are redirected to a TOTP verification page. A short-lived (5 min) signed cookie holds the user id; the password is never stored. The TOTP step must complete before the dashboard becomes reachable — requireAffiliateForCurrentUser bounces you back to the TOTP page if a pretotp row exists.

Disable 2FA

  • From the Security page, enter a current 6-digit code OR a recovery code.
  • 2FA is turned off; the Vault-stored secret is deleted.
  • If you've lost all factors AND all recovery codes: contact support@cobalz.com from the verified email on file. We'll verify out-of-band and unenroll manually.