Summary
seamless verify covers step-up only at the api layer (TOTP MFA freshening /step-up/status,
added in M5). WebAuthn step-up, and step-up at the adapter / react (browser) layers, are not yet
covered.
What's done
api/stepUp.spec.ts: enroll TOTP, confirm /step-up/status is fresh: false, verify
/totp/verify-mfa, confirm it flips to fresh: true (method: totp).
What's deferred
- WebAuthn step-up (
/step-up/webauthn/start + /finish) end to end.
- Browser / adapter step-up coverage.
Why it was pushed off
The React SDK exposes the client methods (getStepUpStatus, verifyStepUpWithPasskey) but has
no UI to drive them, the same gap OAuth had before fells-code/seamless-auth-react#44. A
request-context layer also can't run a real WebAuthn ceremony, so WebAuthn step-up needs the
browser (the M3 virtual-authenticator infra is already in place for this).
To complete
- Add a step-up UI to
@seamless-auth/react (a component/route that surfaces step-up state and
triggers a WebAuthn or TOTP re-auth), mirroring the OAuth provider UI work.
- Add a react browser step-up case here (reuse
addVirtualAuthenticator from M3): register a
passkey, trigger step-up, assert /step-up/status becomes fresh via method: webauthn.
- Optionally add adapter coverage if a non-browser path becomes feasible.
Once (1) and (2) land, stepUp shows coverage in the react column of the conformance matrix.
Summary
seamless verifycovers step-up only at the api layer (TOTP MFA freshening/step-up/status,added in M5). WebAuthn step-up, and step-up at the adapter / react (browser) layers, are not yet
covered.
What's done
api/stepUp.spec.ts: enroll TOTP, confirm/step-up/statusisfresh: false, verify/totp/verify-mfa, confirm it flips tofresh: true(method: totp).What's deferred
/step-up/webauthn/start+/finish) end to end.Why it was pushed off
The React SDK exposes the client methods (
getStepUpStatus,verifyStepUpWithPasskey) but hasno UI to drive them, the same gap OAuth had before fells-code/seamless-auth-react#44. A
request-context layer also can't run a real WebAuthn ceremony, so WebAuthn step-up needs the
browser (the M3 virtual-authenticator infra is already in place for this).
To complete
@seamless-auth/react(a component/route that surfaces step-up state andtriggers a WebAuthn or TOTP re-auth), mirroring the OAuth provider UI work.
addVirtualAuthenticatorfrom M3): register apasskey, trigger step-up, assert
/step-up/statusbecomes fresh viamethod: webauthn.Once (1) and (2) land,
stepUpshows coverage in the react column of the conformance matrix.