Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
7fb42b6
fix(mfa): default new users into MFA when it's available server-wide
lakhansamani Jul 14, 2026
ce5914e
feat(mfa): lazily backfill existing users into the MFA default on login
lakhansamani Jul 14, 2026
1ba7886
feat(mfa): add --disable-webauthn-mfa, fold WebAuthn into EnableMFA d…
lakhansamani Jul 14, 2026
af05e8a
docs(mfa): clarify --disable-mfa's effect on WebAuthn's MFA-factor role
lakhansamani Jul 14, 2026
68718a7
revert(mfa): drop persisted MFA defaults, add pure effectiveMFAEnabled
lakhansamani Jul 14, 2026
63df61f
feat(mfa): withhold token on first-time offer, unify passkey gate wit…
lakhansamani Jul 14, 2026
4190a11
feat(mfa): rework skip_mfa_setup for the withheld-token model
lakhansamani Jul 14, 2026
d247716
feat(mfa): user-initiated lockout + admin reset via _update_user
lakhansamani Jul 14, 2026
311faa5
feat(mfa): email/SMS OTP as enrolled MFA methods
lakhansamani Jul 14, 2026
f4fcbd9
feat(mfa): gate SignUp() the same way as Login()
lakhansamani Jul 14, 2026
cfa5822
feat(mfa): gate oauth_callback.go the same way as password login
lakhansamani Jul 14, 2026
af90acc
fix(mfa): close I1 -- gate Login/SignUp even when TOTP login is off
lakhansamani Jul 15, 2026
0a1b1e8
fix(mfa): close I2 -- cookie-authenticated email/SMS OTP setup
lakhansamani Jul 15, 2026
58540c1
fix(mfa): oauth gate honors email/SMS OTP, tighten weak assertion (M1…
lakhansamani Jul 15, 2026
1472bc6
fix(mfa): defer OIDC bridge SetState until after the MFA gate (M2)
lakhansamani Jul 15, 2026
8ec584c
test(mfa): complete SMS-OTP full-chain MFA setup test (M4a)
lakhansamani Jul 15, 2026
a26fa82
refactor(mfa): consolidate 3 near-duplicate OTP-generation closures (…
lakhansamani Jul 15, 2026
03b05c8
fix(meta): is_webauthn_enabled honors --disable-webauthn-mfa
lakhansamani Jul 15, 2026
974cc85
feat(grpc): add REST/gRPC parity for MFA behavior redesign (PR #686)
lakhansamani Jul 15, 2026
8b32b10
test(grpc): cover EmailOtpMfaSetup/SmsOtpMfaSetup RPCs end-to-end
lakhansamani Jul 15, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,9 +188,10 @@ func init() {
// the effective Enable* / EnableMFA values from these flags.
f.BoolVar(&rootArgs.config.EnforceMFA, "enforce-mfa", false, "Enforce MFA for all users")
f.BoolVar(&rootArgs.config.DisableTOTPLogin, "disable-totp-login", false, "Disable TOTP-based MFA (enabled by default)")
f.BoolVar(&rootArgs.config.DisableWebauthnMFA, "disable-webauthn-mfa", false, "Disable WebAuthn/passkey as an MFA factor (enabled by default); does not affect WebAuthn/passkey as a primary login method")
f.BoolVar(&rootArgs.config.DisableEmailOTP, "disable-email-otp", false, "Disable email OTP MFA (enabled by default when email service is configured)")
f.BoolVar(&rootArgs.config.DisableSMSOTP, "disable-sms-otp", false, "Disable SMS OTP MFA (enabled by default when SMS service is configured)")
f.BoolVar(&rootArgs.config.DisableMFA, "disable-mfa", false, "Globally disable MFA (TOTP/email/SMS OTP), overriding the per-method flags; does not affect WebAuthn/passkey")
f.BoolVar(&rootArgs.config.DisableMFA, "disable-mfa", false, "Globally disable MFA (TOTP/email/SMS OTP), overriding the per-method flags; does not affect WebAuthn/passkey as a primary login method")
f.BoolVar(&rootArgs.config.EnableSignup, "enable-signup", true, "Enable signup")

// Cookies flags
Expand Down
43 changes: 29 additions & 14 deletions gen/go/authorizer/v1/admin.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading