Skip to content

feat: Base MFA support#2480

Open
tusharpandey13 wants to merge 19 commits intomainfrom
feat/mfa-base
Open

feat: Base MFA support#2480
tusharpandey13 wants to merge 19 commits intomainfrom
feat/mfa-base

Conversation

@tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Jan 7, 2026
edited
Loading

Important

This PR is the 1st PR in a PR stack

This PR adds support for handling mfa_required error natively and getting access to mfa_token and mfa_requirements when MFA step-up authentication is required.
These parameters can be used to call MFA API methods for challenge and verify operations, which will be added in a later PR.

Changes

  • Added MfaRequiredError and other MFA related errors.
  • Documentation and tests

Usage

When accessing a protected resource, catch the MfaRequiredError. It automatically packages the encrypted mfa_token you need.

/* app/api/example/route.ts */
import { MfaRequiredError } from '@auth0/nextjs-auth0/server';

try {
  // Request token for sensitive audience or scope
  await auth0.getAccessToken({ audience: 'https://api/sensitive' });
} catch (error) {
  if (error instanceof MfaRequiredError) {
    // 403 Forbidden: Bubble the token to client
    return NextResponse.json(error.toJSON(), { status: 403 });
  }
}

Testing

Flow tests:

  • MFA Error bubbling blow
  • Configuration and validation

Unit tests for util methods.

@tusharpandey13 tusharpandey13 requested a review from a team as a code owner January 7, 2026 19:05
@tusharpandey13 tusharpandey13 changed the title feat: mfa error bubbling support feat: MFA error support Jan 7, 2026
@codecov-commenter
Copy link

codecov-commenter commented Jan 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.98131% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.97%. Comparing base (c01f8a9) to head (299ad79).

Files with missing lines Patch % Lines
src/server/auth-client.ts 74.60% 16 Missing ⚠️
src/server/client.ts 62.16% 14 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2480      +/-   ##
==========================================
- Coverage   91.20%   90.97%   -0.24%     
==========================================
  Files          39       40       +1     
  Lines        4698     4909     +211     
  Branches      981     1018      +37     
==========================================
+ Hits         4285     4466     +181     
- Misses        407      437      +30     
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 7, 2026
View reviewed changes
@tusharpandey13 tusharpandey13 marked this pull request as draft January 7, 2026 19:11
@tusharpandey13 tusharpandey13 marked this pull request as ready for review January 9, 2026 14:36
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 12, 2026
View reviewed changes
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 12, 2026
View reviewed changes
src/server/auth-client.ts
// Handle MFA required error - return 403 with MFA context
// Note: session.mfa was already mutated by getTokenSet() before the error was thrown.
// JavaScript is single-threaded, so no race condition exists.
if (e instanceof MfaRequiredError) {
Copy link
Contributor

@gyaneshgouraw-okta gyaneshgouraw-okta Jan 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently in which all different flows/scenarios are we throwing MfaRequiredError, we should also update the PR description with this information ?

Copy link
Contributor Author

@tusharpandey13 tusharpandey13 Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scenarios:

  • Token refresh with MFA token (normal flow)
  • Token refresh without MFA token (edge case). If this happens, it will be handled and MfaRequiredError will be thrown with empty mfa token

gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 12, 2026
View reviewed changes
@tusharpandey13 tusharpandey13 mentioned this pull request Jan 26, 2026
Open
@tusharpandey13 tusharpandey13 changed the title feat: MFA error support feat: MFA base support Jan 27, 2026
@tusharpandey13 tusharpandey13 changed the title feat: MFA base support feat: Base MFA support (mfa_required error) Jan 27, 2026
@tusharpandey13 tusharpandey13 changed the title feat: Base MFA support (mfa_required error) feat: Base MFA support Jan 27, 2026
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 28, 2026
View reviewed changes
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 28, 2026
View reviewed changes
@tusharpandey13 tusharpandey13 changed the title feat: Base MFA support feat: [MFA PR 1/4] Base MFA support Feb 5, 2026
@tusharpandey13 tusharpandey13 changed the title feat: [MFA PR 1/4] Base MFA support feat: Base MFA support Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gyaneshgouraw-okta gyaneshgouraw-okta gyaneshgouraw-okta approved these changes

Assignees

No one assigned

Labels

mfa

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tusharpandey13 @codecov-commenter @gyaneshgouraw-okta