fix(core): check user mfa when binding backup code (#4790)

packages/core/src/routes/interaction/mfa.test.ts

@@ -149,6 +149,21 @@ describe('interaction routes (MFA verification)', () => {
       expect(response.status).toEqual(400);
     });
 
+    it('should pass when backup code is the only item in bindMfa, but is not in user mfaVerifications', async () => {
+      getInteractionStorage.mockReturnValueOnce({
+        event: InteractionEvent.SignIn,
+        bindMfas: [],
+        accountId: 'accountId',
+      });
+
+      const body = {
+        type: MfaFactor.BackupCode,
+      };
+
+      const response = await sessionRequest.post(path).send(body);
+      expect(response.status).toEqual(204);
+    });
+
     it('should return 204 for totp and backup code combination', async () => {
       getInteractionStorage.mockReturnValueOnce({
         event: InteractionEvent.SignIn,

packages/core/src/routes/interaction/mfa.ts

@@ -58,11 +58,15 @@ export default function mfaRoutes<T extends IRouterParamContext>(
         verifyMfaSettings(bindMfaPayload.type, signInExperience);
       }
 
-      const { bindMfas = [] } = interactionStorage;
+      const { bindMfas = [], accountId } = interactionStorage;
 
       if (bindMfaPayload.type === MfaFactor.BackupCode) {
+        const { mfaVerifications } = accountId
+          ? await queries.users.findUserById(accountId)
+          : { mfaVerifications: [] };
         assertThat(
-          bindMfas.some(({ type }) => type !== MfaFactor.BackupCode),
+          bindMfas.some(({ type }) => type !== MfaFactor.BackupCode) ||
+            mfaVerifications.some(({ type }) => type !== MfaFactor.BackupCode),
           'session.mfa.backup_code_can_not_be_alone'
         );
       } else {