Skip to content

Conformance: complete step-up coverage (WebAuthn + browser/adapter) #22

Description

@Bccorb

Summary

seamless verify covers step-up only at the api layer (TOTP MFA freshening /step-up/status,
added in M5). WebAuthn step-up, and step-up at the adapter / react (browser) layers, are not yet
covered.

What's done

  • api/stepUp.spec.ts: enroll TOTP, confirm /step-up/status is fresh: false, verify
    /totp/verify-mfa, confirm it flips to fresh: true (method: totp).

What's deferred

  • WebAuthn step-up (/step-up/webauthn/start + /finish) end to end.
  • Browser / adapter step-up coverage.

Why it was pushed off

The React SDK exposes the client methods (getStepUpStatus, verifyStepUpWithPasskey) but has
no UI to drive them, the same gap OAuth had before fells-code/seamless-auth-react#44. A
request-context layer also can't run a real WebAuthn ceremony, so WebAuthn step-up needs the
browser (the M3 virtual-authenticator infra is already in place for this).

To complete

  1. Add a step-up UI to @seamless-auth/react (a component/route that surfaces step-up state and
    triggers a WebAuthn or TOTP re-auth), mirroring the OAuth provider UI work.
  2. Add a react browser step-up case here (reuse addVirtualAuthenticator from M3): register a
    passkey, trigger step-up, assert /step-up/status becomes fresh via method: webauthn.
  3. Optionally add adapter coverage if a non-browser path becomes feasible.

Once (1) and (2) land, stepUp shows coverage in the react column of the conformance matrix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions