fix(core): respect secondary sign-up when suggesting MFA (#7828)

wangsijie · web-flow · commit d523ba64e3e5 · 2025-09-25T10:33:11.000+08:00
diff --git a/packages/core/src/routes/experience/classes/mfa.ts b/packages/core/src/routes/experience/classes/mfa.ts
@@ -321,14 +321,16 @@ export class Mfa {
     // If the user has email, but not registered by email, no suggestion
     if (
       factorsInUser.includes(MfaFactor.EmailVerificationCode) &&
-      !signUp.identifiers.includes(SignInIdentifier.Email)
+      !signUp.identifiers.includes(SignInIdentifier.Email) &&
+      !signUp.secondaryIdentifiers?.some(({ identifier }) => identifier === SignInIdentifier.Email)
     ) {
       return;
     }
     // If the user has phone, but not registered by phone, no suggestion
     if (
       factorsInUser.includes(MfaFactor.PhoneVerificationCode) &&
-      !signUp.identifiers.includes(SignInIdentifier.Phone)
+      !signUp.identifiers.includes(SignInIdentifier.Phone) &&
+      !signUp.secondaryIdentifiers?.some(({ identifier }) => identifier === SignInIdentifier.Phone)
     ) {
       return;
     }
diff --git a/packages/integration-tests/src/tests/api/experience-api/bind-mfa/mfa-suggestion.test.ts b/packages/integration-tests/src/tests/api/experience-api/bind-mfa/mfa-suggestion.test.ts
@@ -10,6 +10,7 @@ import {
   setEmailConnector,
   setSmsConnector,
 } from '#src/helpers/connector.js';
+import { fulfillUserEmail } from '#src/helpers/experience/index.js';
 import {
   successfullySendVerificationCode,
   successfullyVerifyVerificationCode,
@@ -19,33 +20,35 @@ import { resetMfaSettings } from '#src/helpers/sign-in-experience.js';
 import { generateNewUserProfile } from '#src/helpers/user.js';
 import { generatePhone } from '#src/utils.js';
 
+const emailPrimarySignInExperience = {
+  signUp: {
+    identifiers: [SignInIdentifier.Email],
+    password: true,
+    verify: true,
+  },
+  signIn: {
+    methods: [
+      {
+        identifier: SignInIdentifier.Email,
+        password: true,
+        verificationCode: false,
+        isPasswordPrimary: false,
+      },
+    ],
+  },
+  mfa: {
+    factors: [MfaFactor.EmailVerificationCode, MfaFactor.TOTP],
+    policy: MfaPolicy.Mandatory,
+  },
+};
+
 describe('Register interaction - optional additional MFA suggestion', () => {
   beforeAll(async () => {
     await clearConnectorsByTypes([ConnectorType.Email, ConnectorType.Sms]);
     await setEmailConnector();
     await setSmsConnector();
     // Set up sign-in experience upfront (refer to email-with-signup.test.ts pattern)
-    await updateSignInExperience({
-      signUp: {
-        identifiers: [SignInIdentifier.Email],
-        password: true,
-        verify: true,
-      },
-      signIn: {
-        methods: [
-          {
-            identifier: SignInIdentifier.Email,
-            password: true,
-            verificationCode: false,
-            isPasswordPrimary: false,
-          },
-        ],
-      },
-      mfa: {
-        factors: [MfaFactor.EmailVerificationCode, MfaFactor.TOTP],
-        policy: MfaPolicy.Mandatory,
-      },
-    });
+    await updateSignInExperience(emailPrimarySignInExperience);
   });
 
   afterAll(async () => {
@@ -141,6 +144,76 @@ describe('Register interaction - optional additional MFA suggestion', () => {
     await deleteUser(userId);
   });
 
+  it('should suggest additional MFA when email is required as a secondary identifier', async () => {
+    const secondaryEmailExperience = {
+      signUp: {
+        identifiers: [SignInIdentifier.Username],
+        password: true,
+        verify: true,
+        secondaryIdentifiers: [
+          {
+            identifier: SignInIdentifier.Email,
+            verify: true,
+          },
+        ],
+      },
+      signIn: {
+        methods: [
+          {
+            identifier: SignInIdentifier.Username,
+            password: true,
+            verificationCode: false,
+            isPasswordPrimary: false,
+          },
+        ],
+      },
+      mfa: {
+        factors: [MfaFactor.EmailVerificationCode, MfaFactor.TOTP],
+        policy: MfaPolicy.Mandatory,
+      },
+    };
+
+    await updateSignInExperience(secondaryEmailExperience);
+
+    const { username, password, primaryEmail } = generateNewUserProfile({
+      username: true,
+      password: true,
+      primaryEmail: true,
+    });
+
+    const client = await initExperienceClient({ interactionEvent: InteractionEvent.Register });
+
+    await client.updateProfile({ type: SignInIdentifier.Username, value: username });
+    await client.updateProfile({ type: 'password', value: password });
+
+    await fulfillUserEmail(client, primaryEmail);
+
+    await client.identifyUser();
+
+    await expectRejects<{
+      availableFactors: MfaFactor[];
+      skippable: boolean;
+      maskedIdentifiers?: Record<string, string>;
+      suggestion?: boolean;
+    }>(client.submitInteraction(), {
+      code: 'session.mfa.suggest_additional_mfa',
+      status: 422,
+      expectData: (data) => {
+        expect(data.availableFactors).toEqual([MfaFactor.TOTP, MfaFactor.EmailVerificationCode]);
+        expect(data.maskedIdentifiers).toBeDefined();
+        expect(data.maskedIdentifiers?.[MfaFactor.EmailVerificationCode]).toMatch(/\*{4}/);
+        expect(data.skippable).toBe(true);
+        expect(data.suggestion).toBe(true);
+      },
+    });
+
+    await client.skipMfaSuggestion();
+
+    const { redirectTo } = await client.submitInteraction();
+    const userId = await processSession(client, redirectTo);
+    await deleteUser(userId);
+  });
+
   it('should not suggest MFA after fulfilling phone verification when both email and SMS factors are enabled', async () => {
     // Configure MFA with email, phone, and TOTP factors
     await updateSignInExperience({
