Use passport for this. We will use the 2FA code to establish a session, then the cookie will be sent on all future requests to authenticate until it expires.

Here are the steps:

1. Use the passport-session library
2. Use the localStrategy as shown here http://www.passportjs.org/docs/configure/
   Make sure the username is _id and the password is the 2FA code. You'll have to make sure the request is properly formatted for passport to automatically grab those fields.
3. Inside the localStrategy, do the 2FA code check

On the same page, you'll see serializeUser and deserializeUser. You probably need to implement those as well with ``_id`