From redaxo-ycom
Configures YCom two-factor authentication with TOTP and email OTP, including setup articles, forms, enforcement modes, email templates, and session gating injections. Use for enabling 2FA, building OTP forms, or troubleshooting flows.
npx claudepluginhub friendsofredaxo/claude-marketplace --plugin redaxo-ycomThis skill uses the workspace's default tool permissions.
YCom supports two OTP methods: TOTP (authenticator apps like Google Authenticator) and email-delivered codes. Both share the same setup form and injection-based enforcement.
Suggests manual /compact at logical task boundaries in long Claude Code sessions and multi-phase tasks to avoid arbitrary auto-compaction losses.
Share bugs, ideas, or general feedback.
YCom supports two OTP methods: TOTP (authenticator apps like Google Authenticator) and email-delivered codes. Both share the same setup form and injection-based enforcement.
otp_article_id in YCom settings to point to an OTP setup article.ycom_auth_otp|setupotp_auth_enforce = all or disabled.otp_auth_option = all, totp_only, email_only.ycom_auth_otp|setup
That's it. The field renders the QR code (for TOTP), an email code option, and the verification step in one component.
| Key | Type | Description |
|---|---|---|
otp_article_id | int | OTP setup/verify article |
otp_auth_enforce | string | all or disabled |
otp_auth_option | string | all, totp_only, email_only |
otp_auth_email_period | int | OTP email-code period in seconds (300–1800) |
all enforcement means every user must complete OTP setup before they can access protected articles. disabled makes OTP optional (users can opt-in but no gating).
When otp_auth_option allows email_only or all, YCom sends OTP codes via the email template:
ycom_otp_code_templatename, email, firstname, codeMinimum body:
Hallo ###firstname###,
Ihr Anmeldecode lautet: ###code###
Der Code ist 5 Minuten gueltig.
Adjust the validity period via otp_auth_email_period (300–1800 seconds, default depends on plugin defaults).
YCom enforces OTP via rex_ycom_injection_otp:
otp_article_id.The injection is part of the standard auth flow — you don't need to call it manually.
When some user roles shouldn't go through OTP:
rex_extension::register('YCOM_AUTH_LOGIN_SUCCESS', function (rex_extension_point $ep) {
$user = $ep->getSubject();
if ($user instanceof rex_ycom_user && $user->isInGroup($apiOnlyGroupId)) {
rex_ycom_user_session::getInstance()->setOTPverified($user);
}
});
The OTP injection reads otp_verified from the DB session row (rex_ycom_user_session), not from $_SESSION. Use setOTPverified() to mark the current session as verified — rex_ycom_auth::setSessionVar('otp_verified', true) does NOT bypass the injection.
otp_auth_enforce=all without configuring otp_article_id – users get stuck in a redirect loop because the destination article doesn't exist.ycom_otp_code_template email template when using email-based OTP – delivery silently fails.rex_ycom_user table are sensitive – treat the table like password storage; restrict backend access.otp_auth_email_period values combined with shared mailboxes (info@) become a phishing vector – keep periods short.