fix(core): handle emailOrPhone for MFA suggestion (#7980)

Author: wangsijie

packages/core/src/routes/experience/classes/mfa.ts

@@ -17,6 +17,7 @@ import {
   OrganizationRequiredMfaPolicy,
   MfaFactor,
   SignInIdentifier,
+  AlternativeSignUpIdentifier,
 } from '@logto/schemas';
 import { generateStandardId, maskEmail, maskPhone } from '@logto/shared';
 import { cond, condObject, deduplicate, pick } from '@silverhand/essentials';
@@ -322,15 +323,23 @@ export class Mfa {
     if (
       factorsInUser.includes(MfaFactor.EmailVerificationCode) &&
       !signUp.identifiers.includes(SignInIdentifier.Email) &&
-      !signUp.secondaryIdentifiers?.some(({ identifier }) => identifier === SignInIdentifier.Email)
+      !signUp.secondaryIdentifiers?.some(
+        ({ identifier }) =>
+          identifier === SignInIdentifier.Email ||
+          identifier === AlternativeSignUpIdentifier.EmailOrPhone
+      )
     ) {
       return;
     }
     // If the user has phone, but not registered by phone, no suggestion
     if (
       factorsInUser.includes(MfaFactor.PhoneVerificationCode) &&
       !signUp.identifiers.includes(SignInIdentifier.Phone) &&
-      !signUp.secondaryIdentifiers?.some(({ identifier }) => identifier === SignInIdentifier.Phone)
+      !signUp.secondaryIdentifiers?.some(
+        ({ identifier }) =>
+          identifier === SignInIdentifier.Phone ||
+          identifier === AlternativeSignUpIdentifier.EmailOrPhone
+      )
     ) {
       return;
     }

packages/integration-tests/src/tests/api/experience-api/bind-mfa/mfa-suggestion.test.ts

@@ -1,5 +1,11 @@
 import { ConnectorType } from '@logto/connector-kit';
-import { InteractionEvent, MfaFactor, MfaPolicy, SignInIdentifier } from '@logto/schemas';
+import {
+  AlternativeSignUpIdentifier,
+  InteractionEvent,
+  MfaFactor,
+  MfaPolicy,
+  SignInIdentifier,
+} from '@logto/schemas';
 import { authenticator } from 'otplib';
 
 import { deleteUser } from '#src/api/admin-user.js';
@@ -214,6 +220,75 @@ describe('Register interaction - optional additional MFA suggestion', () => {
     await deleteUser(userId);
   });
 
+  it('should suggest additional MFA when email or phone is required as a secondary identifier', async () => {
+    await updateSignInExperience({
+      signUp: {
+        identifiers: [SignInIdentifier.Username],
+        password: true,
+        verify: true,
+        secondaryIdentifiers: [
+          {
+            identifier: AlternativeSignUpIdentifier.EmailOrPhone,
+            verify: true,
+          },
+        ],
+      },
+      signIn: {
+        methods: [
+          {
+            identifier: SignInIdentifier.Username,
+            password: true,
+            verificationCode: false,
+            isPasswordPrimary: false,
+          },
+        ],
+      },
+      mfa: {
+        factors: [MfaFactor.EmailVerificationCode, MfaFactor.TOTP],
+        policy: MfaPolicy.Mandatory,
+      },
+    });
+
+    const { username, password, primaryEmail } = generateNewUserProfile({
+      username: true,
+      password: true,
+      primaryEmail: true,
+    });
+
+    const client = await initExperienceClient({ interactionEvent: InteractionEvent.Register });
+
+    await client.updateProfile({ type: SignInIdentifier.Username, value: username });
+    await client.updateProfile({ type: 'password', value: password });
+
+    await fulfillUserEmail(client, primaryEmail);
+
+    await client.identifyUser();
+
+    await expectRejects<{
+      availableFactors: MfaFactor[];
+      skippable: boolean;
+      maskedIdentifiers?: Record<string, string>;
+      suggestion?: boolean;
+    }>(client.submitInteraction(), {
+      code: 'session.mfa.suggest_additional_mfa',
+      status: 422,
+      expectData: (data) => {
+        expect(data.availableFactors).toEqual([MfaFactor.TOTP, MfaFactor.EmailVerificationCode]);
+        expect(data.maskedIdentifiers).toBeDefined();
+        expect(data.maskedIdentifiers?.[MfaFactor.EmailVerificationCode]).toMatch(/\*{4}/);
+        expect(data.skippable).toBe(true);
+        expect(data.suggestion).toBe(true);
+      },
+    });
+
+    await client.skipMfaSuggestion();
+
+    const { redirectTo } = await client.submitInteraction();
+    const userId = await processSession(client, redirectTo);
+    await logoutClient(client);
+    await deleteUser(userId);
+  });
+
   it('should not suggest MFA after fulfilling phone verification when both email and SMS factors are enabled', async () => {
     // Configure MFA with email, phone, and TOTP factors
     await updateSignInExperience({