feat(core): bind SMS MFA (#7662)

wangsijie · web-flow · commit 040342975864 · 2025-08-12T16:11:20.000+08:00
diff --git a/packages/core/src/routes/experience/classes/helpers.ts b/packages/core/src/routes/experience/classes/helpers.ts
@@ -212,6 +212,7 @@ export const getAllUserEnabledMfaVerifications = (
   }
 
   const email = currentProfile?.primaryEmail ?? user.primaryEmail;
+  const phone = currentProfile?.primaryPhone ?? user.primaryPhone;
 
   const implicitVerifications = [
     // Email MFA Factor: user has primaryEmail + Email factor enabled in SIE
@@ -224,6 +225,16 @@ export const getAllUserEnabledMfaVerifications = (
           },
         ] satisfies MfaVerification[])
       : []),
+    // Phone MFA Factor: user has primaryPhone + Phone factor enabled in SIE
+    ...(mfaSettings.factors.includes(MfaFactor.PhoneVerificationCode) && phone
+      ? ([
+          {
+            id: 'implicit-phone-mfa', // Fake ID for capability
+            type: MfaFactor.PhoneVerificationCode,
+            createdAt: new Date(user.createdAt).toISOString(),
+          },
+        ] satisfies MfaVerification[])
+      : []),
   ];
 
   return [...storedVerifications, ...implicitVerifications];
diff --git a/packages/core/src/routes/experience/classes/libraries/mfa-validator.ts b/packages/core/src/routes/experience/classes/libraries/mfa-validator.ts
@@ -11,7 +11,10 @@ import {
 
 import { getAllUserEnabledMfaVerifications } from '../helpers.js';
 import { type BackupCodeVerification } from '../verifications/backup-code-verification.js';
-import { type EmailCodeVerification } from '../verifications/code-verification.js';
+import {
+  type EmailCodeVerification,
+  type PhoneCodeVerification,
+} from '../verifications/code-verification.js';
 import { type VerificationRecord } from '../verifications/index.js';
 import { type TotpVerification } from '../verifications/totp-verification.js';
 import { type WebAuthnVerification } from '../verifications/web-authn-verification.js';
@@ -21,26 +24,30 @@ const mfaVerificationTypes = Object.freeze([
   VerificationType.BackupCode,
   VerificationType.WebAuthn,
   VerificationType.EmailVerificationCode,
+  VerificationType.PhoneVerificationCode,
 ]);
 
 type MfaVerificationType =
   | VerificationType.TOTP
   | VerificationType.BackupCode
   | VerificationType.WebAuthn
-  | VerificationType.EmailVerificationCode;
+  | VerificationType.EmailVerificationCode
+  | VerificationType.PhoneVerificationCode;
 
 const mfaVerificationTypeToMfaFactorMap = Object.freeze({
   [VerificationType.TOTP]: MfaFactor.TOTP,
   [VerificationType.BackupCode]: MfaFactor.BackupCode,
   [VerificationType.WebAuthn]: MfaFactor.WebAuthn,
   [VerificationType.EmailVerificationCode]: MfaFactor.EmailVerificationCode,
+  [VerificationType.PhoneVerificationCode]: MfaFactor.PhoneVerificationCode,
 }) satisfies Record<MfaVerificationType, MfaFactor>;
 
 type MfaVerificationRecord =
   | TotpVerification
   | WebAuthnVerification
   | BackupCodeVerification
-  | EmailCodeVerification;
+  | EmailCodeVerification
+  | PhoneCodeVerification;
 
 const isMfaVerificationRecord = (
   verification: VerificationRecord
diff --git a/packages/core/src/routes/experience/profile-routes.ts b/packages/core/src/routes/experience/profile-routes.ts
@@ -231,8 +231,16 @@ export default function interactionProfileRoutes<T extends ExperienceInteraction
           break;
         }
         case MfaFactor.PhoneVerificationCode: {
-          // TODO: Implement SMS verification code MFA binding
-          throw new Error('Not implemented yet');
+          if (!EnvSet.values.isDevFeaturesEnabled) {
+            throw new Error('Not implemented yet');
+          }
+
+          await experienceInteraction.profile.setProfileByVerificationId(
+            SignInIdentifier.Phone,
+            verificationId,
+            log
+          );
+          break;
         }
       }
 
diff --git a/packages/integration-tests/src/helpers/sign-in-experience.ts b/packages/integration-tests/src/helpers/sign-in-experience.ts
@@ -185,6 +185,22 @@ export const enableMandatoryMfaWithEmailAndBackupCode = async () =>
     },
   });
 
+export const enableMandatoryMfaWithPhone = async () =>
+  updateSignInExperience({
+    mfa: {
+      factors: [MfaFactor.PhoneVerificationCode],
+      policy: MfaPolicy.Mandatory,
+    },
+  });
+
+export const enableMandatoryMfaWithPhoneAndBackupCode = async () =>
+  updateSignInExperience({
+    mfa: {
+      factors: [MfaFactor.PhoneVerificationCode, MfaFactor.BackupCode],
+      policy: MfaPolicy.Mandatory,
+    },
+  });
+
 export const enableMandatoryMfaWithWebAuthnAndBackupCode = async () =>
   updateSignInExperience({
     mfa: {
diff --git a/packages/integration-tests/src/tests/api/experience-api/bind-mfa/email-phone.test.ts b/packages/integration-tests/src/tests/api/experience-api/bind-mfa/email-phone.test.ts

Original file line number	Diff line number	Diff line change
`@@ -231,8 +231,16 @@ export default function interactionProfileRoutes<T extends ExperienceInteraction`
`231`	`231`	`break;`
`232`	`232`	`}`
`233`	`233`	`case MfaFactor.PhoneVerificationCode: {`
`234`		`- // TODO: Implement SMS verification code MFA binding`
`235`		`- throw new Error('Not implemented yet');`
	`234`	`+ if (!EnvSet.values.isDevFeaturesEnabled) {`
	`235`	`+ throw new Error('Not implemented yet');`
	`236`	`+ }`
	`237`	`+`
	`238`	`+ await experienceInteraction.profile.setProfileByVerificationId(`
	`239`	`+ SignInIdentifier.Phone,`
	`240`	`+ verificationId,`
	`241`	`+ log`
	`242`	`+ );`
	`243`	`+ break;`
`236`	`244`	`}`
`237`	`245`	`}`
`238`	`246`