feat(core,experience): show all MFA factors in suggestion flow (#7765)

feat(experience): show all MFA factors in suggestion flow with disabled state

Author: wangsijie

packages/core/src/routes/experience/classes/mfa.ts

@@ -17,8 +17,8 @@ import {
   OrganizationRequiredMfaPolicy,
   MfaFactor,
 } from '@logto/schemas';
-import { generateStandardId } from '@logto/shared';
-import { cond, deduplicate, pick } from '@silverhand/essentials';
+import { generateStandardId, maskEmail, maskPhone } from '@logto/shared';
+import { cond, condObject, deduplicate, pick } from '@silverhand/essentials';
 import { z } from 'zod';
 
 import RequestError from '#src/errors/RequestError/index.js';
@@ -333,9 +333,30 @@ export class Mfa {
       return;
     }
 
+    // Get user data for masking
+    const user = await this.interactionContext.getIdentifiedUser();
+    const { primaryEmail, primaryPhone } = user;
+
+    // Build masked identifiers for bound factors
+    const maskedIdentifiers = condObject({
+      [MfaFactor.EmailVerificationCode]:
+        factorsInUser.includes(MfaFactor.EmailVerificationCode) &&
+        primaryEmail &&
+        maskEmail(primaryEmail),
+      [MfaFactor.PhoneVerificationCode]:
+        factorsInUser.includes(MfaFactor.PhoneVerificationCode) &&
+        primaryPhone &&
+        maskPhone(primaryPhone),
+    });
+
     throw new RequestError(
       { code: 'session.mfa.suggest_additional_mfa', status: 422 },
-      { availableFactors: additionalFactors, skippable: true, suggestion: true }
+      {
+        availableFactors, // Return all available factors, not just additional ones
+        maskedIdentifiers,
+        skippable: true,
+        suggestion: true,
+      }
     );
   }
 

packages/experience/src/components/Button/MfaFactorButton.module.scss

@@ -7,6 +7,12 @@
   gap: _.unit(4);
   border-radius: 12px;
   border-color: var(--color-line-divider);
+
+  &.disabled {
+    cursor: not-allowed;
+    border: none;
+    background: var(--color-bg-body-base);
+  }
 }
 
 .icon {
@@ -23,6 +29,7 @@
 
   .name {
     font: var(--font-label-1);
+    color: var(--color-type-primary);
   }
 
   .description {

packages/experience/src/components/Button/MfaFactorButton.tsx

@@ -18,6 +18,8 @@ import styles from './index.module.scss';
 export type Props = {
   readonly factor: MfaFactor;
   readonly isBinding: boolean;
+  readonly isDisabled?: boolean;
+  readonly maskedIdentifier?: string;
   readonly onClick?: () => void;
 };
 
@@ -53,7 +55,7 @@ const linkFactorDescription: Record<MfaFactor, TFuncKey> = {
   [MfaFactor.PhoneVerificationCode]: 'mfa.link_phone_verification_code_description',
 };
 
-const MfaFactorButton = ({ factor, isBinding, onClick }: Props) => {
+const MfaFactorButton = ({ factor, isBinding, isDisabled, maskedIdentifier, onClick }: Props) => {
   const Icon = factorIcon[factor];
 
   return (
@@ -62,23 +64,31 @@ const MfaFactorButton = ({ factor, isBinding, onClick }: Props) => {
         styles.button,
         styles.secondary,
         styles.large,
-        mfaFactorButtonStyles.mfaFactorButton
+        mfaFactorButtonStyles.mfaFactorButton,
+        isDisabled && mfaFactorButtonStyles.disabled
       )}
       type="button"
-      onClick={onClick}
+      disabled={isDisabled}
+      onClick={isDisabled ? undefined : onClick}
     >
       <Icon className={mfaFactorButtonStyles.icon} />
       <div className={mfaFactorButtonStyles.title}>
         <div className={mfaFactorButtonStyles.name}>
           <DynamicT forKey={factorName[factor]} />
         </div>
         <div className={mfaFactorButtonStyles.description}>
-          <DynamicT forKey={(isBinding ? linkFactorDescription : factorDescription)[factor]} />
+          {maskedIdentifier ? (
+            <span>{maskedIdentifier}</span>
+          ) : (
+            <DynamicT forKey={(isBinding ? linkFactorDescription : factorDescription)[factor]} />
+          )}
         </div>
       </div>
-      <FlipOnRtl>
-        <ArrowNext className={mfaFactorButtonStyles.icon} />
-      </FlipOnRtl>
+      {!isDisabled && (
+        <FlipOnRtl>
+          <ArrowNext className={mfaFactorButtonStyles.icon} />
+        </FlipOnRtl>
+      )}
     </button>
   );
 };

packages/experience/src/containers/MfaFactorList/index.tsx

@@ -50,16 +50,27 @@ const MfaFactorList = ({ flow, flowState }: Props) => {
 
   return (
     <div className={styles.factorList}>
-      {availableFactors.map((factor) => (
-        <MfaFactorButton
-          key={factor}
-          factor={factor}
-          isBinding={flow === UserMfaFlow.MfaBinding}
-          onClick={async () => {
-            await handleSelectFactor(factor);
-          }}
-        />
-      ))}
+      {availableFactors.map((factor) => {
+        const isEmailOrPhone =
+          factor === MfaFactor.EmailVerificationCode || factor === MfaFactor.PhoneVerificationCode;
+        const isDisabled = Boolean(
+          flowState.suggestion && isEmailOrPhone && flowState.maskedIdentifiers?.[factor]
+        );
+        const maskedIdentifier = isEmailOrPhone ? flowState.maskedIdentifiers?.[factor] : undefined;
+
+        return (
+          <MfaFactorButton
+            key={factor}
+            factor={factor}
+            isBinding={flow === UserMfaFlow.MfaBinding}
+            isDisabled={isDisabled}
+            maskedIdentifier={maskedIdentifier}
+            onClick={async () => {
+              await handleSelectFactor(factor);
+            }}
+          />
+        );
+      })}
     </div>
   );
 };

packages/experience/src/pages/MfaBinding/index.tsx

@@ -20,8 +20,10 @@ const MfaBinding = () => {
 
   return (
     <SecondaryPageLayout
-      title="mfa.add_mfa_factors"
-      description="mfa.add_mfa_description"
+      title={flowState.suggestion ? 'mfa.add_another_mfa_factor' : 'mfa.add_mfa_factors'}
+      description={
+        flowState.suggestion ? 'mfa.add_another_mfa_description' : 'mfa.add_mfa_description'
+      }
       onSkip={conditional(
         flowState.skippable && (flowState.suggestion ? skipOptionalMfa : skipMfa)
       )}

packages/integration-tests/src/tests/api/experience-api/bind-mfa/mfa-suggestion.test.ts

@@ -71,17 +71,23 @@ describe('Register interaction - optional additional MFA suggestion', () => {
     await client.updateProfile({ type: 'password', value: password });
     await client.identifyUser({ verificationId });
 
-    await expectRejects<{ availableFactors: MfaFactor[]; skippable: boolean }>(
-      client.submitInteraction(),
-      {
-        code: 'session.mfa.suggest_additional_mfa',
-        status: 422,
-        expectData: (data) => {
-          expect(data.availableFactors).toEqual([MfaFactor.TOTP]);
-          expect(data.skippable).toBe(true);
-        },
-      }
-    );
+    await expectRejects<{
+      availableFactors: MfaFactor[];
+      skippable: boolean;
+      maskedIdentifiers?: Record<string, string>;
+      suggestion?: boolean;
+    }>(client.submitInteraction(), {
+      code: 'session.mfa.suggest_additional_mfa',
+      status: 422,
+      expectData: (data) => {
+        // Should now include both Email and TOTP
+        expect(data.availableFactors).toEqual([MfaFactor.EmailVerificationCode, MfaFactor.TOTP]);
+        expect(data.maskedIdentifiers).toBeDefined();
+        expect(data.maskedIdentifiers?.[MfaFactor.EmailVerificationCode]).toMatch(/\*{4}/);
+        expect(data.skippable).toBe(true);
+        expect(data.suggestion).toBe(true);
+      },
+    });
 
     // Skip suggestion
     await client.skipMfaSuggestion();

packages/integration-tests/src/tests/experience/mfa/suggest-additional-on-register.test.ts

@@ -64,10 +64,10 @@ devFeatureTest.describe('Experience - suggest additional MFA after email registr
     await experience.waitForPathname('continue/password');
     await experience.toFillNewPasswords(password);
 
-    // Wait for suggestion navigation and page render (list page)
-    await experience.waitForPathname('mfa-binding/Totp');
+    // Wait for suggestion navigation to MFA list page
+    await experience.waitForPathname('mfa-binding');
 
-    // Skip optional suggestion
+    // Skip optional suggestion from list page
     await experience.toClick('div[role=button][class$=skipButton]');
     await experience.page.waitForNetworkIdle();
 
@@ -97,7 +97,11 @@ devFeatureTest.describe('Experience - suggest additional MFA after email registr
     await experience.waitForPathname('continue/password');
     await experience.toFillNewPasswords(password);
 
-    // Land on optional MFA suggestion list
+    // Land on optional MFA suggestion list page
+    await experience.waitForPathname('mfa-binding');
+
+    // Click on TOTP factor button to proceed with binding
+    await experience.toClick('button', 'Authenticator app OTP');
     await experience.waitForPathname('mfa-binding/Totp');
     await experience.toBindTotp();
     const userId = await experience.getUserIdFromDemoAppPage();
@@ -127,8 +131,8 @@ devFeatureTest.describe('Experience - suggest additional MFA after email registr
     await experience.waitForPathname('continue/password');
     await experience.toFillNewPasswords(password);
 
-    // Optional suggestion detail page for TOTP
-    await experience.waitForPathname('mfa-binding/Totp');
+    // Optional suggestion list page
+    await experience.waitForPathname('mfa-binding');
 
     // Click skip for optional suggestion; backend should require backup code
     await experience.toClick('div[role=button][class$=skipButton]');

packages/phrases-experience/src/locales/ar/mfa.ts

@@ -18,6 +18,8 @@ const mfa = {
   verify_phone_verification_code_description: 'أدخل الرمز المرسل إلى هاتفك',
   add_mfa_factors: 'إضافة التحقق من خطوتين',
   add_mfa_description: 'تم تمكين التحقق من خطوتين. حدد طريقة التحقق الثانية لتسجيل الدخول الآمن.',
+  add_another_mfa_factor: 'إضافة تحقق آخر من خطوتين',
+  add_another_mfa_description: 'حدد طريقة أخرى للتحقق من هويتك عند تسجيل الدخول.',
   verify_mfa_factors: 'التحقق من خطوتين',
   verify_mfa_description:
     'تم تمكين التحقق من خطوتين لهذا الحساب. يرجى تحديد الطريقة الثانية للتحقق من هويتك.',

packages/phrases-experience/src/locales/de/mfa.ts

@@ -19,6 +19,9 @@ const mfa = {
   add_mfa_factors: '2-Schritte-Verifizierung hinzufügen',
   add_mfa_description:
     'Die Zwei-Faktor-Verifizierung ist aktiviert. Wählen Sie Ihre zweite Verifizierungsmethode für sicheres Anmelden aus.',
+  add_another_mfa_factor: 'Eine weitere 2-Schritte-Verifizierung hinzufügen',
+  add_another_mfa_description:
+    'Wählen Sie eine andere Methode zur Verifizierung Ihrer Identität bei der Anmeldung.',
   verify_mfa_factors: '2-Schritte-Verifizierung',
   verify_mfa_description:
     'Die 2-Schritte-Verifizierung ist für dieses Konto aktiviert. Bitte wählen Sie die zweite Methode zur Verifizierung Ihrer Identität aus.',

packages/phrases-experience/src/locales/en/mfa.ts

@@ -19,6 +19,9 @@ const mfa = {
   add_mfa_factors: 'Add 2-step verification',
   add_mfa_description:
     'Two-factor verification is enabled. Select your second verification method for secure sign-in.',
+  add_another_mfa_factor: 'Add another one 2-step verification',
+  add_another_mfa_description:
+    'Select another way to add for verifying your identity when sign-in.',
   verify_mfa_factors: '2-step verification',
   verify_mfa_description:
     '2-step verification has been enabled for this account. Please select the second way to verify your identity.',