refactor(core): remove unused email sms mfa code (#7669)

Author: wangsijie

packages/core/src/libraries/user.utils.ts

@@ -47,11 +47,6 @@ export const convertBindMfaToMfaVerification = (bindMfa: BindMfa): MfaVerificati
     };
   }
 
-  if (type === MfaFactor.EmailVerificationCode || type === MfaFactor.PhoneVerificationCode) {
-    // TODO @wangsijie: Implement this later
-    throw new Error('Not implemented yet');
-  }
-
   const { credentialId, counter, publicKey, transports, agent } = bindMfa;
   return {
     ...base,

packages/core/src/routes/experience/classes/helpers.ts

@@ -6,14 +6,7 @@
  */
 
 import { defaults, parseAffiliateData } from '@logto/affiliate';
-import {
-  adminTenantId,
-  MfaFactor,
-  VerificationType,
-  type User,
-  type Mfa,
-  type MfaVerification,
-} from '@logto/schemas';
+import { adminTenantId, MfaFactor, VerificationType, type User, type Mfa } from '@logto/schemas';
 import { conditional, trySafe } from '@silverhand/essentials';
 import { type IRouterContext } from 'koa-router';
 
@@ -202,10 +195,33 @@ export const getAllUserEnabledMfaVerifications = (
   mfaSettings: Mfa,
   user: User,
   currentProfile?: InteractionProfile
-): MfaVerification[] => {
-  const storedVerifications = filterOutEmptyBackupCodes(user.mfaVerifications).filter(
-    (verification) => mfaSettings.factors.includes(verification.type)
-  );
+): MfaFactor[] => {
+  const storedVerifications = filterOutEmptyBackupCodes(user.mfaVerifications)
+    .filter((verification) => mfaSettings.factors.includes(verification.type))
+    // Filter out backup codes if all the codes are used
+    .filter((verification) => {
+      if (verification.type !== MfaFactor.BackupCode) {
+        return true;
+      }
+      return verification.codes.some((code) => !code.usedAt);
+    })
+    .slice()
+    // Sort by last used time, the latest used factor is the first one, backup code is always the last one
+    .sort((verificationA, verificationB) => {
+      if (verificationA.type === MfaFactor.BackupCode) {
+        return 1;
+      }
+
+      if (verificationB.type === MfaFactor.BackupCode) {
+        return -1;
+      }
+
+      return (
+        new Date(verificationB.lastUsedAt ?? 0).getTime() -
+        new Date(verificationA.lastUsedAt ?? 0).getTime()
+      );
+    })
+    .map(({ type }) => type);
 
   if (!EnvSet.values.isDevFeaturesEnabled) {
     return storedVerifications;
@@ -217,23 +233,11 @@ export const getAllUserEnabledMfaVerifications = (
   const implicitVerifications = [
     // Email MFA Factor: user has primaryEmail + Email factor enabled in SIE
     ...(mfaSettings.factors.includes(MfaFactor.EmailVerificationCode) && email
-      ? ([
-          {
-            id: 'implicit-email-mfa', // Fake ID for capability
-            type: MfaFactor.EmailVerificationCode,
-            createdAt: new Date(user.createdAt).toISOString(),
-          },
-        ] satisfies MfaVerification[])
+      ? [MfaFactor.EmailVerificationCode]
       : []),
     // Phone MFA Factor: user has primaryPhone + Phone factor enabled in SIE
     ...(mfaSettings.factors.includes(MfaFactor.PhoneVerificationCode) && phone
-      ? ([
-          {
-            id: 'implicit-phone-mfa', // Fake ID for capability
-            type: MfaFactor.PhoneVerificationCode,
-            createdAt: new Date(user.createdAt).toISOString(),
-          },
-        ] satisfies MfaVerification[])
+      ? [MfaFactor.PhoneVerificationCode]
       : []),
   ];
 

packages/core/src/routes/experience/classes/libraries/mfa-validator.ts

@@ -5,7 +5,6 @@ import {
   userMfaDataGuard,
   userMfaDataKey,
   type Mfa,
-  type MfaVerification,
   type User,
 } from '@logto/schemas';
 
@@ -82,38 +81,14 @@ export class MfaValidator {
   get availableUserMfaVerificationTypes() {
     return (
       this.userEnabledMfaVerifications
-        // Filter out backup codes if all the codes are used
-        .filter((verification) => {
-          if (verification.type !== MfaFactor.BackupCode) {
-            return true;
-          }
-          return verification.codes.some((code) => !code.usedAt);
-        })
         // Filter out duplicated verifications with the same type
-        .reduce<MfaVerification[]>((verifications, verification) => {
-          if (verifications.some(({ type }) => type === verification.type)) {
+        .reduce<MfaFactor[]>((verifications, verification) => {
+          if (verifications.includes(verification)) {
             return verifications;
           }
 
           return [...verifications, verification];
         }, [])
-        .slice()
-        // Sort by last used time, the latest used factor is the first one, backup code is always the last one
-        .sort((verificationA, verificationB) => {
-          if (verificationA.type === MfaFactor.BackupCode) {
-            return 1;
-          }
-
-          if (verificationB.type === MfaFactor.BackupCode) {
-            return -1;
-          }
-
-          return (
-            new Date(verificationB.lastUsedAt ?? 0).getTime() -
-            new Date(verificationA.lastUsedAt ?? 0).getTime()
-          );
-        })
-        .map(({ type }) => type)
     );
   }
 
@@ -146,8 +121,8 @@ export class MfaValidator {
         // New bind MFA verification can not be used for verification
         !verification.isNewBindMfaVerification &&
         // Check if the verification type is enabled in the user's MFA settings
-        this.userEnabledMfaVerifications.some(
-          (factor) => factor.type === mfaVerificationTypeToMfaFactorMap[verification.type]
+        this.userEnabledMfaVerifications.includes(
+          mfaVerificationTypeToMfaFactorMap[verification.type]
         )
     );
 

packages/core/src/routes/experience/classes/mfa.ts

@@ -391,7 +391,7 @@ export class Mfa {
       currentProfile
     );
     return [
-      ...existingVerifications.map(({ type }) => type),
+      ...existingVerifications,
       ...(this.#totp ? [MfaFactor.TOTP] : []),
       ...(this.#webAuthn?.length ? [MfaFactor.WebAuthn] : []),
     ].filter(Boolean);

packages/core/src/routes/interaction/actions/submit-interaction.ts

@@ -67,13 +67,6 @@ const parseBindMfas = ({
       };
     }
 
-    if (
-      bindMfa.type === MfaFactor.EmailVerificationCode ||
-      bindMfa.type === MfaFactor.PhoneVerificationCode
-    ) {
-      throw new Error('Not implemented yet');
-    }
-
     // MfaFactor.PhoneVerificationCode
     return {
       id: generateStandardId(),

packages/core/src/routes/interaction/verifications/mfa-payload-verification.ts

@@ -168,14 +168,6 @@ export async function bindMfaPayloadVerification(
     return verifyBindWebAuthn(interactionStorage, bindMfaPayload, ctx, { rpId, userAgent, origin });
   }
 
-  if (
-    bindMfaPayload.type === MfaFactor.EmailVerificationCode ||
-    bindMfaPayload.type === MfaFactor.PhoneVerificationCode
-  ) {
-    // TODO: Implement email and SMS verification code binding
-    throw new Error('Email and SMS verification code MFA binding not implemented');
-  }
-
   return verifyBindBackupCode(interactionStorage, bindMfaPayload, ctx);
 }
 
@@ -252,41 +244,30 @@ export async function verifyMfaPayloadVerification(
     return result;
   }
 
-  if (verifyMfaPayload.type === MfaFactor.BackupCode) {
-    const { id, type } = await verifyBackupCode(user.mfaVerifications, verifyMfaPayload);
-
-    // Mark the backup code as used
-    await tenant.queries.users.updateUserById(accountId, {
-      mfaVerifications: user.mfaVerifications.map((mfa) => {
-        if (mfa.id !== id || mfa.type !== MfaFactor.BackupCode) {
-          return mfa;
-        }
-
-        return {
-          ...mfa,
-          codes: mfa.codes.map((code) => {
-            if (code.code !== verifyMfaPayload.code) {
-              return code;
-            }
-
-            return {
-              ...code,
-              usedAt: new Date().toISOString(),
-            };
-          }),
-        };
-      }),
-    });
+  const { id, type } = await verifyBackupCode(user.mfaVerifications, verifyMfaPayload);
 
-    return { id, type };
-  }
+  // Mark the backup code as used
+  await tenant.queries.users.updateUserById(accountId, {
+    mfaVerifications: user.mfaVerifications.map((mfa) => {
+      if (mfa.id !== id || mfa.type !== MfaFactor.BackupCode) {
+        return mfa;
+      }
 
-  if (verifyMfaPayload.type === MfaFactor.EmailVerificationCode) {
-    // TODO: Implement email verification code verification
-    throw new Error('Email verification code MFA verification not implemented');
-  }
+      return {
+        ...mfa,
+        codes: mfa.codes.map((code) => {
+          if (code.code !== verifyMfaPayload.code) {
+            return code;
+          }
+
+          return {
+            ...code,
+            usedAt: new Date().toISOString(),
+          };
+        }),
+      };
+    }),
+  });
 
-  // MfaFactor.PhoneVerificationCode
-  // TODO: Implement phone verification code verification
-  throw new Error('Phone verification code MFA verification not implemented');
+  return { id, type };
 }

packages/experience/src/apis/experience/mfa.ts

@@ -60,40 +60,40 @@ export const skipMfa = async () => {
   return submitInteraction();
 };
 
-export const bindMfa = async (payload: BindMfaPayload, verificationId: string) => {
-  switch (payload.type) {
-    case MfaFactor.TOTP: {
-      const { code } = payload;
-      await api.post(`${experienceApiRoutes.verification}/totp/verify`, {
-        json: {
-          code,
-          verificationId,
-        },
-      });
-      break;
-    }
-    case MfaFactor.WebAuthn: {
-      await api.post(`${experienceApiRoutes.verification}/web-authn/registration/verify`, {
-        json: {
-          verificationId,
-          payload,
-        },
-      });
-      break;
-    }
-    case MfaFactor.BackupCode: {
-      // No need to verify backup codes
-      break;
-    }
-    case MfaFactor.EmailVerificationCode:
-    case MfaFactor.PhoneVerificationCode: {
-      // Email/Phone MFA factors use special binding logic, but don't submit immediately
-      // to allow additional MFA factors to be bound in the same session
-      break;
+export const bindMfa = async (
+  type: MfaFactor,
+  verificationId: string,
+  payload?: BindMfaPayload
+) => {
+  if (payload) {
+    switch (payload.type) {
+      case MfaFactor.TOTP: {
+        const { code } = payload;
+        await api.post(`${experienceApiRoutes.verification}/totp/verify`, {
+          json: {
+            code,
+            verificationId,
+          },
+        });
+        break;
+      }
+      case MfaFactor.WebAuthn: {
+        await api.post(`${experienceApiRoutes.verification}/web-authn/registration/verify`, {
+          json: {
+            verificationId,
+            payload,
+          },
+        });
+        break;
+      }
+      case MfaFactor.BackupCode: {
+        // No need to verify backup codes
+        break;
+      }
     }
   }
 
-  await addMfa(payload.type, verificationId);
+  await addMfa(type, verificationId);
   return submitInteraction();
 };
 
@@ -126,11 +126,6 @@ export const verifyMfa = async (payload: VerifyMfaPayload, verificationId?: stri
       });
       break;
     }
-    case MfaFactor.EmailVerificationCode:
-    case MfaFactor.PhoneVerificationCode: {
-      // TODO: Implement email and phone verification code verification
-      break;
-    }
   }
 
   return submitInteraction();

packages/experience/src/containers/VerificationCode/use-continue-flow-code-verification.ts

@@ -141,7 +141,7 @@ const useContinueFlowCodeVerification = (
         }
 
         const [bindError, bindResult] = await asyncBindMfa(
-          { type: MfaFactor.EmailVerificationCode },
+          MfaFactor.EmailVerificationCode,
           verificationId
         );
 

packages/experience/src/hooks/use-send-mfa-payload.ts

@@ -23,7 +23,7 @@ export type SendMfaPayloadApiOptions =
 
 const sendMfaPayloadApi = async ({ flow, payload, verificationId }: SendMfaPayloadApiOptions) => {
   if (flow === UserMfaFlow.MfaBinding) {
-    return bindMfa(payload, verificationId);
+    return bindMfa(payload.type, verificationId, payload);
   }
   return verifyMfa(payload, verificationId);
 };

packages/schemas/src/foundations/jsonb-types/users.ts

@@ -111,31 +111,10 @@ export const mfaVerificationBackupCode = z.object({
 
 export type MfaVerificationBackupCode = z.infer<typeof mfaVerificationBackupCode>;
 
-// TODO @wangsijie: Implement this later
-export const mfaVerificationEmailVerificationCode = z.object({
-  type: z.literal(MfaFactor.EmailVerificationCode),
-  ...baseMfaVerification,
-});
-
-export type MfaVerificationEmailVerificationCode = z.infer<
-  typeof mfaVerificationEmailVerificationCode
->;
-
-export const mfaVerificationPhoneVerificationCode = z.object({
-  type: z.literal(MfaFactor.PhoneVerificationCode),
-  ...baseMfaVerification,
-});
-
-export type MfaVerificationPhoneVerificationCode = z.infer<
-  typeof mfaVerificationPhoneVerificationCode
->;
-
 export const mfaVerificationGuard = z.discriminatedUnion('type', [
   mfaVerificationTotp,
   mfaVerificationWebAuthn,
   mfaVerificationBackupCode,
-  mfaVerificationEmailVerificationCode,
-  mfaVerificationPhoneVerificationCode,
 ]);
 
 export type MfaVerification = z.infer<typeof mfaVerificationGuard>;