feat(mfa): offer passkey enrollment during the login-time MFA setup#63
Open
lakhansamani wants to merge 1 commit into
Open
feat(mfa): offer passkey enrollment during the login-time MFA setup#63lakhansamani wants to merge 1 commit into
lakhansamani wants to merge 1 commit into
Conversation
AuthorizerMFASetup hardcoded passkey: false everywhere it was rendered with loginContext set (login/signup/OAuth/passkey-primary), and force-hid the option whenever loginContext was present at all - because webauthn_registration_options/verify required a bearer token that doesn't exist until the MFA gate is satisfied. The backend (authorizerdev/authorizer, authorizerdev/authorizer-js#47) now supports authenticating that ceremony via the MFA session cookie instead, so passkey is a real option here. Also, using the new mfaGate signal on the OAuth/magic-link return path: route to AuthorizerVerifyOtp for an already-configured factor instead of always showing the setup screen, and let AuthorizerPasskeyLogin's verify step render the same challenge form (previously told the user to sign in with a password instead). Removed a stale useEffect in AuthorizerVerifyOtp that flagged "Email or Phone Number is required" on mount even for the legitimate session-only resolution path these two flows now exercise.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AuthorizerMFASetupnow offers passkey as a real enrollment option during the login-time (token-withheld) MFA offer screen, wired throughAuthorizerBasicAuthLogin/AuthorizerSignup/AuthorizerRoot/AuthorizerPasskeyLogin(all previously hardcodedpasskey: false).mfa_gateredirect param: rendersAuthorizerVerifyOtp(challenge) for an already-configured factor instead of always showing the setup screen.AuthorizerPasskeyLogin's "verify" step renders the real challenge form instead of telling the user to sign in with a password.AuthorizerVerifyOtpuseEffectthat misfired an "Email or Phone Number is required" error on the now-legitimate session-only resolution path.Depends on authorizerdev/authorizer-js#47 (the SDK changes this consumes) and the corresponding backend PR on authorizerdev/authorizer (
feat/enforce-mfa-passkey-gate).Test plan
npx tsc --noEmit— cleannpm run build— cleanmfa_gate=verifycorrectly renders the OTP challenge screen instead of setup