To quickly sum up my solution to this question: I have implemented a service class handling the OTP generation as well as user secret generation. The OTPs are compatible with the specified standard (I think RFC 6238, TOTP)
If a user is initialized for 2FA a secret will be generated and stored to database. The user has to validate it using the first code displayed via an authenticator app of his choice (like Google Authenticator).
All the QR-Code generation etc is done by my frontend which is seperated from the API code.
As I am using Laravel Passport for API authentication I have extended the TokenGuard
class to also handle an extra 2FA token - if 2FA is enabled for the user. Otherwise this will be skipped.
This 2FA token is generated uniquely on each successful code challenge after the user has logged in with his username/password combination and is send to the frontend to be also used within all upcoming requests (as seperate header).
This works pretty well for me and I did not need to implement any third party libraries at the end!
@ml59 thanks for your inputs which helped me get around!
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…