Skip to content

feat: expose optional-MFA-with-skip, passkey-MFA, and is_mfa_enforced fields#45

Closed
lakhansamani wants to merge 8 commits into
mainfrom
feat/enforce-mfa-passkey-gate
Closed

feat: expose optional-MFA-with-skip, passkey-MFA, and is_mfa_enforced fields#45
lakhansamani wants to merge 8 commits into
mainfrom
feat/enforce-mfa-passkey-gate

Conversation

@lakhansamani

Copy link
Copy Markdown
Contributor

Summary

SDK support for the backend's MFA work (see authorizerdev/authorizer#685):

  • skipMfaSetup(), should_offer_mfa_setup, has_skipped_mfa_setup_at — optional MFA setup with skip.
  • should_offer_webauthn_mfa_verify on AuthResponse — passkey as a second MFA factor. loginWithPasskey(email) (already shipped) is reused as-is for the verify step; no new SDK methods needed.
  • is_mfa_enforced on Meta — lets authorizer-react hide the primary passkey-login button when the org enforces MFA.
  • A querySync test that asserts every Meta/AuthResponse interface field is actually selected in the corresponding GraphQL query string (and vice versa) — added after two of the fields above shipped with a type but no matching query selection, silently making them dead on arrival. Type-checking alone can't catch this class of bug since the interface and the query string are independent.

Version: 3.3.0-rc.1 → 3.6.0-rc.0.

Test plan

  • npm run build clean (CJS/ESM/DTS)
  • __test__/querySync.test.ts — confirmed it catches drift in both directions by deliberately breaking sync and watching it fail, then restoring
  • Full npm run test suite — all suites pass except one pre-existing, unrelated failure in index.test.ts (testcontainers-based integration tests), confirmed present on the base commit before any of this work via a side-by-side worktree comparison — not a regression from this PR

Nested worktree under authorizer-js/ let ESLint cascade into the
parent repo's .eslintrc.js, resolving @typescript-eslint/eslint-plugin
from two node_modules trees and failing with an ambiguous-plugin error.
…aSetup()

Bump 3.4.0-rc.0. skipMfaSetup mirrors deactivateAccount's authenticated
dispatch shape (headers passthrough), not resendOtp's unauthenticated one,
since it dismisses the current user's own MFA setup prompt.
@lakhansamani

Copy link
Copy Markdown
Contributor Author

Superseded by an upcoming PR built against authorizer#686 (MFA behavior redesign — withheld-token first-time setup, reworked skip_mfa_setup, new lock_mfa/email_otp_mfa_setup/sms_otp_mfa_setup mutations). This PR's field additions target the older, now-merged authorizer#685 contract and are no longer sufficient. Closing rather than updating in place since the underlying data flow changed, not just the field set.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant