cameleer/cameleer-saas
2
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: configure MFA factors + mfa_enrolled JWT claim in Logto bootstrap

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-26 13:46:10 +02:00
parent 6c70efcb54
commit 66477ff575
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docker/logto-bootstrap.sh
View File

@@ -552,7 +552,12 @@ CUSTOM_JWT_SCRIPT='const getCustomJwtClaims = async ({ token, context, environme
if (role.name === "saas-vendor") roles.add("server:admin"); if (role.name === "saas-vendor") roles.add("server:admin");
} }
} }
return roles.size > 0 ? { roles: [...roles] } : {}; const mfaFactors = context?.user?.mfaVerificationFactors || [];
const mfaEnrolled = mfaFactors.some(f => f.type === "Totp");
const claims = {};
if (roles.size > 0) claims.roles = [...roles];
claims.mfa_enrolled = mfaEnrolled;
return claims;
};' };'
CUSTOM_JWT_PAYLOAD=$(jq -n --arg script "$CUSTOM_JWT_SCRIPT" '{ script: $script }') CUSTOM_JWT_PAYLOAD=$(jq -n --arg script "$CUSTOM_JWT_SCRIPT" '{ script: $script }')
@@ -606,6 +611,10 @@ api_patch "/api/sign-in-exp" '{
"isPasswordPrimary": true "isPasswordPrimary": true
} }
] ]
},
"mfa": {
"factors": ["Totp", "BackupCode"],
"policy": "UserControlled"
} }
}' >/dev/null 2>&1 }' >/dev/null 2>&1
log "Sign-in experience configured: SignIn only (registration disabled until email is configured)." log "Sign-in experience configured: SignIn only (registration disabled until email is configured)."