From 66477ff57507c4e25852d193a88b3049b611d0a6 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sun, 26 Apr 2026 13:46:10 +0200
Subject: [PATCH] feat: configure MFA factors + mfa_enrolled JWT claim in Logto
 bootstrap

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker/logto-bootstrap.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 6e3dfe3..76f5d9d 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -552,7 +552,12 @@ CUSTOM_JWT_SCRIPT='const getCustomJwtClaims = async ({ token, context, environme
       if (role.name === "saas-vendor") roles.add("server:admin");
     }
   }
-  return roles.size > 0 ? { roles: [...roles] } : {};
+  const mfaFactors = context?.user?.mfaVerificationFactors || [];
+  const mfaEnrolled = mfaFactors.some(f => f.type === "Totp");
+  const claims = {};
+  if (roles.size > 0) claims.roles = [...roles];
+  claims.mfa_enrolled = mfaEnrolled;
+  return claims;
 };'
 
 CUSTOM_JWT_PAYLOAD=$(jq -n --arg script "$CUSTOM_JWT_SCRIPT" '{ script: $script }')
@@ -606,6 +611,10 @@ api_patch "/api/sign-in-exp" '{
         "isPasswordPrimary": true
       }
     ]
+  },
+  "mfa": {
+    "factors": ["Totp", "BackupCode"],
+    "policy": "UserControlled"
   }
 }' >/dev/null 2>&1
 log "Sign-in experience configured: SignIn only (registration disabled until email is configured)."