Enforce MFA before finalizing OIDC and SAML sessions

Added MFA enforcement logic to OIDC and SAML session finalization, ensuring MFA is checked even for valid sessions. Also added debug logging for login settings and MFA factor checks, and updated .gitignore to exclude .cursor files.

Author: yahyafakhroji

.gitignore

@@ -16,4 +16,6 @@ public/dist
 /blob-report/
 /out
 /docker
-/machinekey
+/machinekey
+
+.cursor

apps/login/src/lib/oidc.ts

@@ -102,6 +102,38 @@ export async function loginWithOIDCAndSession({
       }
     }
 
+    // Enforce MFA even when the session is valid (or regardless of validity) before finalizing
+    if (selectedSession.factors?.user) {
+      try {
+        const [methods, loginSettings] = await Promise.all([
+          listAuthenticationMethodTypes({
+            serviceUrl,
+            userId: selectedSession.factors.user.id,
+          }),
+          getLoginSettings({
+            serviceUrl,
+            organization: selectedSession.factors?.user?.organizationId,
+          }),
+        ]);
+
+        const mfaFactorCheck = await checkMFAFactors(
+          serviceUrl,
+          selectedSession,
+          loginSettings,
+          methods.authMethodTypes,
+          selectedSession.factors?.user?.organizationId,
+          `oidc_${authRequest}`,
+        );
+
+        if (mfaFactorCheck?.redirect) {
+          const absoluteUrl = constructUrl(request, mfaFactorCheck.redirect);
+          return NextResponse.redirect(absoluteUrl.toString());
+        }
+      } catch (error) {
+        console.warn("Failed to enforce MFA before finalize (OIDC)", error);
+      }
+    }
+
     const cookie = sessionCookies.find(
       (cookie) => cookie.id === selectedSession?.id,
     );

apps/login/src/lib/saml.ts

@@ -174,6 +174,38 @@ export async function loginWithSAMLAndSession({
       }
     }
 
+    // Enforce MFA even when the session is valid (or regardless of validity) before finalizing
+    if (selectedSession.factors?.user) {
+      try {
+        const [methods, loginSettings] = await Promise.all([
+          listAuthenticationMethodTypes({
+            serviceUrl,
+            userId: selectedSession.factors.user.id,
+          }),
+          getLoginSettings({
+            serviceUrl,
+            organization: selectedSession.factors?.user?.organizationId,
+          }),
+        ]);
+
+        const mfaFactorCheck = await checkMFAFactors(
+          serviceUrl,
+          selectedSession,
+          loginSettings,
+          methods.authMethodTypes,
+          selectedSession.factors?.user?.organizationId,
+          `saml_${samlRequest}`,
+        );
+
+        if (mfaFactorCheck?.redirect) {
+          const absoluteUrl = constructUrl(request, mfaFactorCheck.redirect);
+          return NextResponse.redirect(absoluteUrl.toString());
+        }
+      } catch (error) {
+        console.warn("Failed to enforce MFA before finalize (SAML)", error);
+      }
+    }
+
     const cookie = sessionCookies.find(
       (cookie) => cookie.id === selectedSession?.id,
     );

apps/login/src/lib/server/idp.ts

@@ -180,9 +180,13 @@ export async function createNewSessionFromIdpIntent(
     session,
     loginSettings,
     authMethods ?? [],
-    command.organization,
+    session.factors.user.organizationId,
     command.requestId,
   );
+
+  console.log("mfaFactorCheck", mfaFactorCheck);
+
+  return 'test';
   if (mfaFactorCheck?.redirect) {
     return mfaFactorCheck;
   }