logto-io · simeng-li · Jul 26, 2024 · Jul 26, 2024 · Jul 26, 2024 · Jul 25, 2024
@@ -165,7 +165,7 @@ export class Mfa {
    * @throws {RequestError} with status 400 if the verification record is not verified
    * @throws {RequestError} with status 400 if the verification record has no secret
    * @throws {RequestError} with status 404 if the verification record is not found
-   * @throws {RequestError} with status 422 if TOTP is not enabled in the sign-in experience
+   * @throws {RequestError} with status 400 if TOTP is not enabled in the sign-in experience
    * @throws {RequestError} with status 422 if the user already has a TOTP factor
    *
    * - Any existing TOTP factor will be replaced with the new one.
@@ -196,7 +196,7 @@ export class Mfa {
    * @throws {RequestError} with status 400 if the verification record is not verified
    * @throws {RequestError} with status 400 if the verification record has no registration data
    * @throws {RequestError} with status 404 if the verification record is not found
-   * @throws {RequestError} with status 422 if WebAuthn is not enabled in the sign-in experience
+   * @throws {RequestError} with status 400 if WebAuthn is not enabled in the sign-in experience
    */
   async addWebAuthnByVerificationId(verificationId: string) {
     const verificationRecord = this.interactionContext.getVerificationRecordByTypeAndId(
@@ -215,7 +215,7 @@ export class Mfa {
    * - Any existing backup code factor will be replaced with the new one.
    *
    * @throws {RequestError} with status 404 if no pending backup codes are found
-   * @throws {RequestError} with status 422 if Backup Code is not enabled in the sign-in experience
+   * @throws {RequestError} with status 400 if Backup Code is not enabled in the sign-in experience
    * @throws {RequestError} with status 422 if the backup code is the only MFA factor
    */
   async addBackupCodeByVerificationId(verificationId: string) {
@@ -241,7 +241,7 @@ export class Mfa {
   }
 
   /**
-   * @throws {RequestError} with status 422 if the mfa factors are not enabled in the sign-in experience
+   * @throws {RequestError} with status 400 if the mfa factors are not enabled in the sign-in experience
    */
   async checkAvailability() {
     const newBindMfaFactors = deduplicate(this.bindMfaFactorsArray.map(({ type }) => type));

@@ -52,6 +52,41 @@
     }
   );
 
+  router.post(
+    `${experienceRoutes.verification}/backup-code/generate`,
+    koaGuard({
+      status: [200, 400],
+      response: z.object({
+        verificationId: z.string(),
+        codes: z.array(z.string()),
+      }),
+    }),
+    async (ctx, next) => {
+      const { experienceInteraction } = ctx;
+
+      assertThat(experienceInteraction.identifiedUserId, 'session.identifier_not_found');
+
+      const backupCodeVerificationRecord = BackupCodeVerification.create(
+        libraries,
+        queries,
+        experienceInteraction.identifiedUserId
+      );
+
+      const codes = backupCodeVerificationRecord.generate();
+
+      ctx.experienceInteraction.setVerificationRecord(backupCodeVerificationRecord);
+
+      await ctx.experienceInteraction.save();
+
+      ctx.body = {
+        verificationId: backupCodeVerificationRecord.id,
+        codes,
+      };
+
+      return next();
+    }
+  );
+
   router.post(
     `${experienceRoutes.verification}/backup-code/verify`,
     koaGuard({

diff --git a/packages/integration-tests/src/client/experience/const.ts b/packages/integration-tests/src/client/experience/const.ts
@@ -4,5 +4,6 @@ export const experienceRoutes = {
   verification: `${prefix}/verification`,
   identification: `${prefix}/identification`,
   profile: `${prefix}/profile`,
+  mfa: `${prefix}/profile/mfa`,
   prefix,
 };
diff --git a/packages/integration-tests/src/client/experience/index.ts b/packages/integration-tests/src/client/experience/index.ts
@@ -2,6 +2,7 @@ import {
   type CreateExperienceApiPayload,
   type IdentificationApiPayload,
   type InteractionEvent,
+  type MfaFactor,
   type NewPasswordIdentityVerificationPayload,
   type PasswordVerificationPayload,
   type UpdateProfileApiPayload,
@@ -178,6 +179,14 @@ export class ExperienceClient extends MockClient {
       .json<{ verificationId: string }>();
   }
 
+  public async generateMfaBackupCodes() {
+    return api
+      .post(`${experienceRoutes.verification}/backup-code/generate`, {
+        headers: { cookie: this.interactionCookie },
+      })
+      .json<{ verificationId: string; codes: string[] }>();
+  }
+
   public async verifyBackupCode(payload: { code: string }) {
     return api
       .post(`${experienceRoutes.verification}/backup-code/verify`, {
@@ -211,4 +220,17 @@ export class ExperienceClient extends MockClient {
       json: payload,
     });
   }
+
+  public async skipMfaBinding() {
+    return api.post(`${experienceRoutes.mfa}/mfa-skipped`, {
+      headers: { cookie: this.interactionCookie },
+    });
+  }
+
+  public async bindMfa(type: MfaFactor, verificationId: string) {
+    return api.post(`${experienceRoutes.mfa}`, {
+      headers: { cookie: this.interactionCookie },
+      json: { type, verificationId },
+    });
+  }
 }
diff --git a/packages/integration-tests/src/helpers/experience/totp-verification.ts b/packages/integration-tests/src/helpers/experience/totp-verification.ts
@@ -1,3 +1,5 @@
+import { authenticator } from 'otplib';
+
 import { type ExperienceClient } from '#src/client/experience/index.js';
 
 export const successFullyCreateNewTotpSecret = async (client: ExperienceClient) => {
@@ -23,3 +25,15 @@ export const successfullyVerifyTotp = async (
 
   return verificationId;
 };
+
+export const successfullyCreateAndVerifyTotp = async (client: ExperienceClient) => {
+  const { secret, verificationId } = await successFullyCreateNewTotpSecret(client);
+  const code = authenticator.generate(secret);
+
+  await successfullyVerifyTotp(client, {
+    code,
+    verificationId,
+  });
+
+  return verificationId;
+};