How do I determine if a second factor exists?

[bcspragu]

I'm using Ory Kratos with a custom UI. I want to know if the user already has a second factor, so I can show either 'Enable 2FA' or 'Disable 2FA'. My strategy was basically this:

const hasSecondFactor = !!session.authentication_methods?.some((am) => am.aal === 'aal2')

And that works fine, but when I then unlink TOTP (e.g. enable 2FA, then disable 2FA), the method: "totp" entry still shows up under authentication methods. This makes sense, since that session was indeed authenticated with TOTP, but it means my "Enable 2FA/Disable 2FA" button shows incorrect text.

Using session.identity.credentials seems promising, but that's undefined in my responses (self-hosted), not sure what's going on there, didn't see anything in the API docs to indicate how to set it

[bcspragu]

Digging into this a bit. Looking at the code, it looks like credentials is unconditionally cleared in the whoami endpoint:

kratos/session/handler.go

Lines 242 to 243 in 4f4394c

	// s.Devices = nil
	s.Identity = s.Identity.CopyWithoutCredentials()

Surprising, but maybe there's a different endpoint I should be using if I want credentials? Still looking

[bcspragu]

As a workaround: I can create a settings flow in advance and check if the ui contains a node with the name 'totp_code'. Seems kinda hacky, but it works reliably