Skip to content

feat: Base MFA support #2480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tusharpandey13 wants to merge 19 commits into
base: main
Choose a base branch
from
Open

feat: Base MFA support #2480

tusharpandey13 wants to merge 19 commits into from

Conversation

@tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Jan 7, 2026
edited
Loading

This PR adds support for handling mfa_required error natively and getting access to mfa_token and mfa_requirements when MFA step-up authentication is required.
These parameters can be used to call MFA API methods for challenge and verify operations, which will be added in a later PR.

Changes

  • Added MfaRequiredError and other MFA related errors.
  • Documentation and tests

Usage

When accessing a protected resource, catch the MfaRequiredError. It automatically packages the encrypted mfa_token you need.

/* app/api/example/route.ts */
import { MfaRequiredError } from '@auth0/nextjs-auth0/server';

try {
  // Request token for sensitive audience or scope
  await auth0.getAccessToken({ audience: 'https://api/sensitive' });
} catch (error) {
  if (error instanceof MfaRequiredError) {
    // 403 Forbidden: Bubble the token to client
    return NextResponse.json(error.toJSON(), { status: 403 });
  }
}

Testing

Flow tests:

  • MFA Error bubbling blow
  • Configuration and validation

Unit tests for util methods.

@tusharpandey13 tusharpandey13 requested a review from a team as a code owner January 7, 2026 19:05
@tusharpandey13 tusharpandey13 changed the title feat: mfa error bubbling support feat: MFA error support Jan 7, 2026
@codecov-commenter
Copy link

codecov-commenter commented Jan 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.98131% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.97%. Comparing base (c01f8a9) to head (299ad79).

Files with missing lines Patch % Lines
src/server/auth-client.ts 74.60% 16 Missing ⚠️
src/server/client.ts 62.16% 14 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2480      +/-   ##
==========================================
- Coverage   91.20%   90.97%   -0.24%     
==========================================
  Files          39       40       +1     
  Lines        4698     4909     +211     
  Branches      981     1018      +37     
==========================================
+ Hits         4285     4466     +181     
- Misses        407      437      +30     
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 7, 2026
View reviewed changes
@tusharpandey13 tusharpandey13 marked this pull request as draft January 7, 2026 19:11
@tusharpandey13 tusharpandey13 marked this pull request as ready for review January 9, 2026 14:36
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 12, 2026
View reviewed changes
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 12, 2026
View reviewed changes
src/server/auth-client.ts
// Handle MFA required error - return 403 with MFA context
// Note: session.mfa was already mutated by getTokenSet() before the error was thrown.
// JavaScript is single-threaded, so no race condition exists.
if (e instanceof MfaRequiredError) {
Copy link
Contributor

@gyaneshgouraw-okta gyaneshgouraw-okta Jan 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently in which all different flows/scenarios are we throwing MfaRequiredError, we should also update the PR description with this information ?

Copy link
Contributor Author

@tusharpandey13 tusharpandey13 Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scenarios:

  • Token refresh with MFA token (normal flow)
  • Token refresh without MFA token (edge case). If this happens, it will be handled and MfaRequiredError will be thrown with empty mfa token

gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 12, 2026
View reviewed changes
@tusharpandey13 tusharpandey13 mentioned this pull request Jan 26, 2026
Draft
@tusharpandey13 tusharpandey13 changed the title feat: MFA error support feat: MFA base support Jan 27, 2026
@tusharpandey13 tusharpandey13 changed the title feat: MFA base support feat: Base MFA support (mfa_required error) Jan 27, 2026
@tusharpandey13 tusharpandey13 changed the title feat: Base MFA support (mfa_required error) feat: Base MFA support Jan 27, 2026
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 28, 2026
View reviewed changes
gyaneshgouraw-okta
gyaneshgouraw-okta reviewed Jan 28, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gyaneshgouraw-okta gyaneshgouraw-okta gyaneshgouraw-okta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tusharpandey13 @codecov-commenter @gyaneshgouraw-okta