chore(core): publish mfa skip api (#7904)

Author: wangsijie

.changeset/little-suits-whisper.md

@@ -5,5 +5,5 @@
 add API for MFA skip controls
 
 expose logto_config endpoints in account and management APIs for managing MFA skip controls
-- /api/my-account/logto-config
-- /api/admin/users/:userId/logto-config
+- /api/my-account/logto-configs
+- /api/admin/users/:userId/logto-configs

packages/core/src/routes/account/index.openapi.json

@@ -176,7 +176,6 @@
     },
     "/api/my-account/logto-configs": {
       "get": {
-        "tags": ["Dev feature"],
         "operationId": "GetLogtoConfig",
         "summary": "Get logto config",
         "description": "Retrieve the exposed portion of the current user's logto config. This endpoint currently includes only the MFA skip state.",
@@ -193,7 +192,6 @@
         }
       },
       "patch": {
-        "tags": ["Dev feature"],
         "operationId": "UpdateLogtoConfig",
         "summary": "Update logto config",
         "description": "Update the exposed portion of the current user's logto config. This endpoint currently allows updating only the MFA skip state.",

packages/core/src/routes/account/logto-config.ts

@@ -4,18 +4,13 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
-import { EnvSet } from '../../env-set/index.js';
 import RequestError from '../../errors/RequestError/index.js';
 import assertThat from '../../utils/assert-that.js';
 import type { UserRouter, RouterInitArgs } from '../types.js';
 
 import { accountApiPrefix } from './constants.js';
 
 export default function logtoConfigRoutes<T extends UserRouter>(...args: RouterInitArgs<T>) {
-  if (!EnvSet.values.isDevFeaturesEnabled) {
-    return;
-  }
-
   const [router, { queries }] = args;
   const {
     users: { updateUserById, findUserById },

packages/core/src/routes/admin-user/basic.openapi.json

@@ -110,7 +110,6 @@
     },
     "/api/users/{userId}/logto-configs": {
       "get": {
-        "tags": ["Dev feature"],
         "responses": {
           "200": {
             "description": "Returns the exposed user logto config fields. Currently, only the MFA skip state is available."
@@ -120,7 +119,6 @@
         "description": "Retrieve the exposed portion of a user's logto config. This endpoint currently includes only the MFA skip state."
       },
       "patch": {
-        "tags": ["Dev feature"],
         "requestBody": {
           "content": {
             "application/json": {

packages/core/src/routes/admin-user/basics.ts

@@ -19,7 +19,6 @@ import { encryptUserPassword } from '#src/libraries/user.utils.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 import assertThat from '#src/utils/assert-that.js';
 
-import { EnvSet } from '../../env-set/index.js';
 import { parseLegacyPassword } from '../../utils/password.js';
 import { captureDeveloperEvent } from '../../utils/posthog.js';
 import { transpileUserProfileResponse } from '../../utils/user.js';
@@ -121,83 +120,81 @@ export default function adminUserBasicsRoutes<T extends ManagementApiRouter>(
     }
   );
 
-  if (EnvSet.values.isDevFeaturesEnabled) {
-    router.get(
-      '/users/:userId/logto-configs',
-      koaGuard({
-        params: object({ userId: string() }),
-        response: object({
-          mfa: object({
-            skipped: boolean(),
-          }),
+  router.get(
+    '/users/:userId/logto-configs',
+    koaGuard({
+      params: object({ userId: string() }),
+      response: object({
+        mfa: object({
+          skipped: boolean(),
         }),
-        status: [200, 404],
       }),
-      async (ctx, next) => {
-        const {
-          params: { userId },
-        } = ctx.guard;
+      status: [200, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { userId },
+      } = ctx.guard;
 
-        const user = await findUserById(userId);
-        const existingMfaData = userMfaDataGuard.safeParse(user.logtoConfig[userMfaDataKey]);
+      const user = await findUserById(userId);
+      const existingMfaData = userMfaDataGuard.safeParse(user.logtoConfig[userMfaDataKey]);
 
-        ctx.body = {
-          mfa: {
-            skipped: existingMfaData.success ? Boolean(existingMfaData.data.skipped) : false,
-          },
-        };
+      ctx.body = {
+        mfa: {
+          skipped: existingMfaData.success ? Boolean(existingMfaData.data.skipped) : false,
+        },
+      };
 
-        return next();
-      }
-    );
-
-    router.patch(
-      '/users/:userId/logto-configs',
-      koaGuard({
-        params: object({ userId: string() }),
-        body: object({
-          mfa: object({
-            skipped: boolean(),
-          }),
+      return next();
+    }
+  );
+
+  router.patch(
+    '/users/:userId/logto-configs',
+    koaGuard({
+      params: object({ userId: string() }),
+      body: object({
+        mfa: object({
+          skipped: boolean(),
         }),
-        response: object({
-          mfa: object({
-            skipped: boolean(),
-          }),
+      }),
+      response: object({
+        mfa: object({
+          skipped: boolean(),
         }),
-        status: [200, 404],
       }),
-      async (ctx, next) => {
-        const {
-          params: { userId },
-          body: {
-            mfa: { skipped },
-          },
-        } = ctx.guard;
-
-        const user = await findUserById(userId);
-        const existingMfaData = userMfaDataGuard.safeParse(user.logtoConfig[userMfaDataKey]);
-
-        const updatedUser = await updateUserById(userId, {
-          logtoConfig: {
-            ...user.logtoConfig,
-            [userMfaDataKey]: {
-              ...(existingMfaData.success ? existingMfaData.data : {}),
-              skipped,
-            },
+      status: [200, 404],
+    }),
+    async (ctx, next) => {
+      const {
+        params: { userId },
+        body: {
+          mfa: { skipped },
+        },
+      } = ctx.guard;
+
+      const user = await findUserById(userId);
+      const existingMfaData = userMfaDataGuard.safeParse(user.logtoConfig[userMfaDataKey]);
+
+      const updatedUser = await updateUserById(userId, {
+        logtoConfig: {
+          ...user.logtoConfig,
+          [userMfaDataKey]: {
+            ...(existingMfaData.success ? existingMfaData.data : {}),
+            skipped,
           },
-        });
+        },
+      });
 
-        ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
+      ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
 
-        ctx.body = {
-          mfa: { skipped },
-        };
+      ctx.body = {
+        mfa: { skipped },
+      };
 
-        return next();
-      }
-    );
-  }
+      return next();
+    }
+  );
 
   router.patch(
     '/users/:userId/profile',

packages/integration-tests/src/tests/api/account/mfa-settings.test.ts

@@ -16,7 +16,6 @@ import {
   signInAndGetUserApi,
 } from '#src/helpers/profile.js';
 import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
-import { devFeatureTest } from '#src/utils.js';
 
 describe('my-account (mfa-settings)', () => {
   beforeAll(async () => {
@@ -194,7 +193,7 @@ describe('my-account (mfa-settings)', () => {
     });
   });
 
-  devFeatureTest.describe('PATCH /api/my-account/logto-configs', () => {
+  describe('PATCH /api/my-account/logto-configs', () => {
     it('should update MFA skip state successfully', async () => {
       const { user, username, password } = await createDefaultTenantUserWithPassword();
       const api = await signInAndGetUserApi(username, password, {

packages/integration-tests/src/tests/api/admin-user.mfa-verifications.test.ts

@@ -9,7 +9,6 @@ import {
   updateUserLogtoConfig,
 } from '#src/api/index.js';
 import { createUserByAdmin } from '#src/helpers/index.js';
-import { devFeatureTest } from '#src/utils.js';
 
 describe('admin console user management (mfa verifications)', () => {
   it('should get empty list successfully', async () => {
@@ -58,7 +57,7 @@ describe('admin console user management (mfa verifications)', () => {
     await deleteUser(user.id);
   });
 
-  devFeatureTest.it('should update logto_config MFA skip state successfully', async () => {
+  it('should update logto_config MFA skip state successfully', async () => {
     const user = await createUserByAdmin();
 
     const config = await getUserLogtoConfig(user.id);

packages/integration-tests/src/tests/api/experience-api/bind-mfa/happpy-path.test.ts

@@ -26,7 +26,6 @@ import {
   enableUserControlledMfaWithTotpOnlyAtSignIn,
 } from '#src/helpers/sign-in-experience.js';
 import { generateNewUserProfile, UserApiTest } from '#src/helpers/user.js';
-import { devFeatureTest } from '#src/utils.js';
 
 describe('Bind MFA APIs happy path', () => {
   const userApi = new UserApiTest();
@@ -175,60 +174,57 @@ describe('Bind MFA APIs happy path', () => {
       await deleteUser(userId);
     });
 
-    devFeatureTest.it(
-      'should prompt again after resetting skip state via management API',
-      async () => {
-        const { username, password } = generateNewUserProfile({ username: true, password: true });
-        const client = await initExperienceClient({
-          interactionEvent: InteractionEvent.Register,
-        });
-
-        const { verificationId } = await client.createNewPasswordIdentityVerification({
-          identifier: {
-            type: SignInIdentifier.Username,
-            value: username,
-          },
-          password,
-        });
-
-        await client.identifyUser({ verificationId });
-
-        await expectRejects(client.submitInteraction(), {
-          code: 'user.missing_mfa',
-          status: 422,
-        });
-
-        await client.skipMfaBinding();
-
-        const { redirectTo } = await client.submitInteraction();
-        const userId = await processSession(client, redirectTo);
-        await logoutClient(client);
-
-        const skippedConfig = await getUserLogtoConfig(userId);
-        expect(skippedConfig.mfa.skipped).toBe(true);
-
-        await signInWithPassword({
-          identifier: {
-            type: SignInIdentifier.Username,
-            value: username,
-          },
-          password,
-        });
-
-        await updateUserLogtoConfig(userId, false);
-        const resetConfig = await getUserLogtoConfig(userId);
-        expect(resetConfig.mfa.skipped).toBe(false);
-
-        const client2 = await initExperienceClient();
-        await identifyUserWithUsernamePassword(client2, username, password);
-        await expectRejects(client2.submitInteraction(), {
-          code: 'user.missing_mfa',
-          status: 422,
-        });
-
-        await deleteUser(userId);
-      }
-    );
+    it('should prompt again after resetting skip state via management API', async () => {
+      const { username, password } = generateNewUserProfile({ username: true, password: true });
+      const client = await initExperienceClient({
+        interactionEvent: InteractionEvent.Register,
+      });
+
+      const { verificationId } = await client.createNewPasswordIdentityVerification({
+        identifier: {
+          type: SignInIdentifier.Username,
+          value: username,
+        },
+        password,
+      });
+
+      await client.identifyUser({ verificationId });
+
+      await expectRejects(client.submitInteraction(), {
+        code: 'user.missing_mfa',
+        status: 422,
+      });
+
+      await client.skipMfaBinding();
+
+      const { redirectTo } = await client.submitInteraction();
+      const userId = await processSession(client, redirectTo);
+      await logoutClient(client);
+
+      const skippedConfig = await getUserLogtoConfig(userId);
+      expect(skippedConfig.mfa.skipped).toBe(true);
+
+      await signInWithPassword({
+        identifier: {
+          type: SignInIdentifier.Username,
+          value: username,
+        },
+        password,
+      });
+
+      await updateUserLogtoConfig(userId, false);
+      const resetConfig = await getUserLogtoConfig(userId);
+      expect(resetConfig.mfa.skipped).toBe(false);
+
+      const client2 = await initExperienceClient();
+      await identifyUserWithUsernamePassword(client2, username, password);
+      await expectRejects(client2.submitInteraction(), {
+        code: 'user.missing_mfa',
+        status: 422,
+      });
+
+      await deleteUser(userId);
+    });
 
     it('should able to skip MFA binding on sign-in', async () => {
       const { username, password } = generateNewUserProfile({ username: true, password: true });