Add requires_totp_mfa to JWT

N2D4 · N2D4 · commit c8b516833e0b · 2026-03-02T10:09:47.000-08:00
diff --git a/apps/backend/src/lib/tokens.tsx b/apps/backend/src/lib/tokens.tsx
@@ -312,6 +312,7 @@ export async function generateAccessTokenFromRefreshTokenIfValid(options: Refres
     is_anonymous: user.is_anonymous,
     is_restricted: user.is_restricted,
     restricted_reason: user.restricted_reason,
+    requires_totp_mfa: user.requires_totp_mfa,
   };
 
   // Validate the payload matches the accessTokenSchema before signing, to catch inconsistencies early
diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
@@ -282,6 +282,7 @@ export namespace Auth {
         "iss": expectedIssuer,
         "branch_id": "main",
         "refresh_token_id": expect.any(String),
+        "requires_totp_mfa": expect.any(Boolean),
         "aud": backendContext.value.projectKeys === "no-project" ? expect.any(String) : backendContext.value.projectKeys.projectId,
         "sub": expect.any(String),
         "role": "authenticated",
diff --git a/apps/e2e/tests/js/access-token-refresh.test.ts b/apps/e2e/tests/js/access-token-refresh.test.ts
@@ -252,6 +252,120 @@ describe("access token refresh on user property changes", () => {
     });
   });
 
+  describe("requires_totp_mfa changes", () => {
+    it("should have requires_totp_mfa=false for a new user without MFA", async ({ expect }) => {
+      const { clientApp } = await createApp({
+        config: {
+          credentialEnabled: true,
+        },
+      });
+
+      await clientApp.signUpWithCredential({
+        email: "test@example.com",
+        password: "password123",
+        verificationCallbackUrl: "http://localhost:3000",
+      });
+
+      const user = await clientApp.getUser({ or: "throw" });
+      const token = await user.getAccessToken();
+      expect(token).toBeDefined();
+
+      const payload = decodeAccessToken(token!);
+      expect(payload.requires_totp_mfa).toBe(false);
+    });
+
+    it("should return a new access token with requires_totp_mfa=true after enabling TOTP MFA", async ({ expect }) => {
+      const { clientApp } = await createApp({
+        config: {
+          credentialEnabled: true,
+        },
+      });
+
+      await clientApp.signUpWithCredential({
+        email: "test@example.com",
+        password: "password123",
+        verificationCallbackUrl: "http://localhost:3000",
+      });
+
+      const user = await clientApp.getUser({ or: "throw" });
+      const initialToken = await user.getAccessToken();
+      expect(decodeAccessToken(initialToken!).requires_totp_mfa).toBe(false);
+
+      const totpSecret = crypto.getRandomValues(new Uint8Array(20));
+      await user.update({ totpMultiFactorSecret: totpSecret });
+
+      const updatedToken = await user.getAccessToken();
+      expect(updatedToken).toBeDefined();
+
+      const updatedPayload = decodeAccessToken(updatedToken!);
+      expect(updatedPayload.requires_totp_mfa).toBe(true);
+
+      expect(updatedToken).not.toBe(initialToken);
+    });
+
+    it("should return a new access token with requires_totp_mfa=false after disabling TOTP MFA", async ({ expect }) => {
+      const { clientApp } = await createApp({
+        config: {
+          credentialEnabled: true,
+        },
+      });
+
+      await clientApp.signUpWithCredential({
+        email: "test@example.com",
+        password: "password123",
+        verificationCallbackUrl: "http://localhost:3000",
+      });
+
+      const user = await clientApp.getUser({ or: "throw" });
+
+      const totpSecret = crypto.getRandomValues(new Uint8Array(20));
+      await user.update({ totpMultiFactorSecret: totpSecret });
+
+      const mfaEnabledToken = await user.getAccessToken();
+      expect(decodeAccessToken(mfaEnabledToken!).requires_totp_mfa).toBe(true);
+
+      await user.update({ totpMultiFactorSecret: null });
+
+      const mfaDisabledToken = await user.getAccessToken();
+      expect(mfaDisabledToken).toBeDefined();
+
+      const disabledPayload = decodeAccessToken(mfaDisabledToken!);
+      expect(disabledPayload.requires_totp_mfa).toBe(false);
+
+      expect(mfaDisabledToken).not.toBe(mfaEnabledToken);
+    });
+
+    it("should update requires_totp_mfa in access token when admin enables MFA for a user", async ({ expect }) => {
+      const { clientApp, adminApp } = await createApp({
+        config: {
+          credentialEnabled: true,
+        },
+      });
+
+      await clientApp.signUpWithCredential({
+        email: "test@example.com",
+        password: "password123",
+        verificationCallbackUrl: "http://localhost:3000",
+      });
+
+      const user = await clientApp.getUser({ or: "throw" });
+      const initialToken = await user.getAccessToken();
+      expect(decodeAccessToken(initialToken!).requires_totp_mfa).toBe(false);
+
+      const adminUsers = await adminApp.listUsers({ query: "test@example.com" });
+      const totpSecret = crypto.getRandomValues(new Uint8Array(20));
+      await adminUsers[0].update({ totpMultiFactorSecret: totpSecret });
+
+      await user.update({});
+
+      const updatedToken = await user.getAccessToken();
+      expect(updatedToken).toBeDefined();
+
+      const updatedPayload = decodeAccessToken(updatedToken!);
+      expect(updatedPayload.requires_totp_mfa).toBe(true);
+    });
+  });
+
   describe("getAccessToken reflects current state", () => {
     it("should always return a token reflecting the current user state", async ({ expect }) => {
       const { clientApp, serverApp } = await createApp({
diff --git a/docs/content/docs/(guides)/concepts/jwt.mdx b/docs/content/docs/(guides)/concepts/jwt.mdx
@@ -65,6 +65,7 @@ Here's what a typical Stack Auth JWT payload looks like:
   "project_id": "project_abcdef",
   "branch_id": "main",
   "refresh_token_id": "refresh_xyz789",
+  "requires_totp_mfa": false,
   "role": "authenticated",
   "name": "John Doe",
   "email": "john@example.com",
diff --git a/packages/stack-shared/src/schema-fields.ts b/packages/stack-shared/src/schema-fields.ts
@@ -755,6 +755,7 @@ export const accessTokenPayloadSchema = yupObject({
   is_anonymous: yupBoolean().defined(),
   is_restricted: yupBoolean().defined(),
   restricted_reason: restrictedReasonSchema.defined().nullable(),
+  requires_totp_mfa: yupBoolean().defined(),
 });
 export const signInEmailSchema = strictEmailSchema(undefined).meta({ openapiField: { description: 'The email to sign in with.', exampleValue: 'johndoe@example.com' } });
 export const emailOtpSignInCallbackUrlSchema = urlSchema.meta({ openapiField: { description: 'The base callback URL to construct the magic link from. A query parameter `code` with the verification code will be appended to it. The page should then make a request to the `/auth/otp/sign-in` endpoint.', exampleValue: 'https://example.com/handler/magic-link-callback' } });
diff --git a/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
@@ -2418,6 +2418,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
       displayName: accessToken.payload.name,
       primaryEmailVerified: accessToken.payload.email_verified,
       isAnonymous,
+      isMultiFactorRequired: accessToken.payload.requires_totp_mfa,
       isRestricted: accessToken.payload.is_restricted,
       restrictedReason: accessToken.payload.restricted_reason,
     } satisfies TokenPartialUser;
@@ -2434,6 +2435,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
       primaryEmail: auth.email ?? null,
       primaryEmailVerified: auth.email_verified as boolean,
       isAnonymous: auth.is_anonymous as boolean,
+      isMultiFactorRequired: auth.requires_totp_mfa as boolean,
       isRestricted: auth.is_restricted as boolean,
       restrictedReason: (auth.restricted_reason as RestrictedReason | null) ?? null,
     };
diff --git a/packages/template/src/lib/stack-app/users/index.ts b/packages/template/src/lib/stack-app/users/index.ts
@@ -289,6 +289,7 @@ export type TokenPartialUser = Pick<
   | "primaryEmail"
   | "primaryEmailVerified"
   | "isAnonymous"
+  | "isMultiFactorRequired"
   | "isRestricted"
   | "restrictedReason"
 >
diff --git a/sdks/implementations/swift/Sources/StackAuth/Models/User.swift b/sdks/implementations/swift/Sources/StackAuth/Models/User.swift
@@ -76,6 +76,7 @@ public struct TokenPartialUser: Sendable {
     public let primaryEmail: String?
     public let primaryEmailVerified: Bool
     public let isAnonymous: Bool
+    public let isMultiFactorRequired: Bool
     public let isRestricted: Bool
     public let restrictedReason: User.RestrictedReason?
 }
diff --git a/sdks/implementations/swift/Sources/StackAuth/StackClientApp.swift b/sdks/implementations/swift/Sources/StackAuth/StackClientApp.swift
@@ -713,6 +713,7 @@ public actor StackClientApp {
             primaryEmail: json["email"] as? String,
             primaryEmailVerified: json["email_verified"] as? Bool ?? false,
             isAnonymous: json["is_anonymous"] as? Bool ?? false,
+            isMultiFactorRequired: json["requires_totp_mfa"] as? Bool ?? false,
             isRestricted: json["is_restricted"] as? Bool ?? false,
             restrictedReason: restrictedReason
         )
diff --git a/sdks/spec/src/apps/client-app.spec.md b/sdks/spec/src/apps/client-app.spec.md
@@ -378,6 +378,7 @@ TokenPartialUser:
   primaryEmail: string | null
   primaryEmailVerified: bool
   isAnonymous: bool
+  isMultiFactorRequired: bool
   isRestricted: bool
   restrictedReason: { type: "anonymous" | "email_not_verified" | "restricted_by_administrator" } | null
 

Original file line number	Diff line number	Diff line change
`@@ -289,6 +289,7 @@ export type TokenPartialUser = Pick<`
`289`	`289`	`\| "primaryEmail"`
`290`	`290`	`\| "primaryEmailVerified"`
`291`	`291`	`\| "isAnonymous"`
	`292`	`+ \| "isMultiFactorRequired"`
`292`	`293`	`\| "isRestricted"`
`293`	`294`	`\| "restrictedReason"`
`294`	`295`	`>`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ public struct TokenPartialUser: Sendable {`
`76`	`76`	`public let primaryEmail: String?`
`77`	`77`	`public let primaryEmailVerified: Bool`
`78`	`78`	`public let isAnonymous: Bool`
	`79`	`+ public let isMultiFactorRequired: Bool`
`79`	`80`	`public let isRestricted: Bool`
`80`	`81`	`public let restrictedReason: User.RestrictedReason?`
`81`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -713,6 +713,7 @@ public actor StackClientApp {`
`713`	`713`	`primaryEmail: json["email"] as? String,`
`714`	`714`	`primaryEmailVerified: json["email_verified"] as? Bool ?? false,`
`715`	`715`	`isAnonymous: json["is_anonymous"] as? Bool ?? false,`
	`716`	`+ isMultiFactorRequired: json["requires_totp_mfa"] as? Bool ?? false,`
`716`	`717`	`isRestricted: json["is_restricted"] as? Bool ?? false,`
`717`	`718`	`restrictedReason: restrictedReason`
`718`	`719`	`)`