feat(schemas): add organizationRequiredMfa policy settings (#7104)

add organizationRequiredMfa policy settings to SIE
2025-03-10 22:22:45 -05:00 · 2025-03-07 13:41:18 +08:00 · 2025-03-07 13:41:18 +08:00 · e0301e0791
commit e0301e0791
parent ee06c2e015
2 changed files with 35 additions and 4 deletions
--- a/packages/integration-tests/src/tests/api/sign-in-experience.test.ts
+++ b/packages/integration-tests/src/tests/api/sign-in-experience.test.ts
@ -1,4 +1,4 @@
-import { MfaPolicy, SignInIdentifier } from '@logto/schemas';
+import { MfaPolicy, OrganizationRequiredMfaPolicy, SignInIdentifier } from '@logto/schemas';
 import { HTTPError, type ResponsePromise } from 'ky';

 import {
@ -34,6 +34,7 @@ describe('admin console sign-in experience', () => {
      mfa: {
        policy: MfaPolicy.PromptAtSignInAndSignUp,
        factors: [],
+        organizationRequiredMfaPolicy: OrganizationRequiredMfaPolicy.Mandatory,
      },
      singleSignOnEnabled: true,
      supportEmail: 'contact@logto.io',
--- a/packages/schemas/src/foundations/jsonb-types/sign-in-experience.ts
+++ b/packages/schemas/src/foundations/jsonb-types/sign-in-experience.ts
@ -117,12 +117,42 @@ export enum MfaPolicy {
  NoPrompt = 'NoPrompt',
 }

+export enum OrganizationRequiredMfaPolicy {
+  /** Do not ask users to set up MFA */
+  NoPrompt = 'NoPrompt',
+  /** MFA is required for all users */
+  Mandatory = 'Mandatory',
+}
+
+export type Mfa = {
+  /** Enabled MFA factors */
+  factors: MfaFactor[];
+  /** Global MFA prompt policy */
+  policy: MfaPolicy;
+  /**
+   * The MFA policy for organization level MFA settings.
+   *
+   * @remarks
+   * This policy is used to determine the MFA prompt behavior
+   * when the user is associated with one or more organizations that
+   * require MFA.
+   *
+   * @remarks
+   * For backward compatibility, if this policy is not set,
+   * the default behavior is {@link OrganizationRequiredMfaPolicy.NoPrompt}.
+   *
+   * @remarks
+   * Regardless of this policy setting, the user will always be rejected
+   * when request for an organization access_token if the user has not set up MFA.
+   */
+  organizationRequiredMfaPolicy?: OrganizationRequiredMfaPolicy;
+};
+
 export const mfaGuard = z.object({
  factors: mfaFactorsGuard,
  policy: z.nativeEnum(MfaPolicy),
-});
-
-export type Mfa = z.infer<typeof mfaGuard>;
+  organizationRequiredMfaPolicy: z.nativeEnum(OrganizationRequiredMfaPolicy).optional(),
+}) satisfies ToZodObject<Mfa>;

 export const customUiAssetsGuard = z.object({
  id: z.string(),