fix: count MFA addresses in CountActiveMultiFactorCredentials for code method

selfservice/strategy/code/strategy.go

@@ -5,6 +5,7 @@ package code
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 	"sort"
 	"strings"
@@ -138,11 +139,49 @@ func (s *Strategy) CountActiveFirstFactorCredentials(ctx context.Context, cc map
 
 func (s *Strategy) CountActiveMultiFactorCredentials(ctx context.Context, cc map[identity.CredentialsType]identity.Credentials) (int, error) {
 	codeConfig := s.deps.Config().SelfServiceCodeStrategy(ctx)
-	if codeConfig.MFAEnabled {
-		return 1, nil
+	if !codeConfig.MFAEnabled {
+		return 0, nil
 	}
 
-	return 0, nil
+	// Get code credentials if they exist
+	creds, ok := cc[identity.CredentialsTypeCodeAuth]
+	if !ok {
+		return 0, nil
+	}
+
+	// Check if the credentials config is valid JSON
+	if !gjson.Valid(string(creds.Config)) {
+		return 0, nil
+	}
+
+	// Check for v0 format with address_type field
+	if gjson.GetBytes(creds.Config, "address_type").Exists() {
+		addressType := gjson.GetBytes(creds.Config, "address_type").String()
+		if addressType != "" {
+			return 1, nil
+		}
+		return 0, nil
+	}
+
+	var conf identity.CredentialsCode
+	if err := json.Unmarshal(creds.Config, &conf); err != nil {
+		return 0, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to unmarshal credentials config: %s", err))
+	}
+
+	// If no addresses configured, return 0
+	if len(conf.Addresses) == 0 {
+		return 0, nil
+	}
+
+	// Count valid addresses configured for MFA
+	validAddresses := 0
+	for _, addr := range conf.Addresses {
+		if addr.Address != "" {
+			validAddresses++
+		}
+	}
+
+	return validAddresses, nil
 }
 
 func NewStrategy(deps any) *Strategy {

selfservice/strategy/code/strategy_test.go

@@ -166,13 +166,13 @@ func TestCountActiveCredentials(t *testing.T) {
 				}},
 				mfaEnabled: true,
 				enabled:    false,
-				expected:   1,
+				expected:   0,
 			},
 			{
 				in:         map[identity.CredentialsType]identity.Credentials{},
 				mfaEnabled: true,
 				enabled:    true,
-				expected:   1,
+				expected:   0,
 			},
 			{
 				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
@@ -181,8 +181,53 @@ func TestCountActiveCredentials(t *testing.T) {
 				}},
 				mfaEnabled: true,
 				enabled:    true,
+				expected:   0,
+			},
+			{
+				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
+					Type:   strategy.ID(),
+					Config: []byte(`{"address_type":"email","used_at":{"Time":"0001-01-01T00:00:00Z","Valid":false}}`),
+				}},
+				mfaEnabled: true,
+				enabled:    true,
 				expected:   1,
 			},
+			{
+				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
+					Type:   strategy.ID(),
+					Config: []byte(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
+				}},
+				mfaEnabled: true,
+				enabled:    true,
+				expected:   1,
+			},
+			{
+				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
+					Type:   strategy.ID(),
+					Config: []byte(`{"addresses":[]}`),
+				}},
+				mfaEnabled: true,
+				enabled:    true,
+				expected:   0,
+			},
+			{
+				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
+					Type:   strategy.ID(),
+					Config: []byte(`{"addresses":[{"channel":"sms","address":"+1234567890"}]}`),
+				}},
+				mfaEnabled: true,
+				enabled:    true,
+				expected:   1,
+			},
+			{
+				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
+					Type:   strategy.ID(),
+					Config: []byte(`{"addresses":[{"channel":"sms","address":"+1234567890"},{"channel":"email","address":"[email protected]"}]}`),
+				}},
+				mfaEnabled: true,
+				enabled:    true,
+				expected:   2,
+			},
 		} {
 			t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
 				ctx := confighelpers.WithConfigValue(ctx, "selfservice.methods.code.mfa_enabled", tc.mfaEnabled)

session/manager_http_test.go

@@ -515,11 +515,18 @@ func TestDoesSessionSatisfy(t *testing.T) {
 		Identifiers: []string{testhelpers.RandomEmail()},
 		Config:      []byte(`{"address_type":"email","used_at":{"Time":"0001-01-01T00:00:00Z","Valid":false}}`),
 	}
-	//codeEmpty := identity.Credentials{
-	//	Type:        identity.CredentialsTypeCodeAuth,
-	//	Identifiers: []string{testhelpers.RandomEmail()},
-	//	Config:      []byte(`{}`),
-	//}
+
+	codeV2 := identity.Credentials{
+		Type:        identity.CredentialsTypeCodeAuth,
+		Identifiers: []string{testhelpers.RandomEmail()},
+		Config:      []byte(`{"addresses":[{"channel":"email","address":"[email protected]"}]}`),
+	}
+
+	codeEmpty := identity.Credentials{
+		Type:        identity.CredentialsTypeCodeAuth,
+		Identifiers: []string{},
+		Config:      []byte(`{}`),
+	}
 
 	oidc := identity.Credentials{
 		Type:        identity.CredentialsTypeOIDC,
@@ -630,6 +637,38 @@ func TestDoesSessionSatisfy(t *testing.T) {
 			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypeCodeAuth]},
 			// No error
 		},
+		{
+			desc:    "with highest_available a otp codeV2 user is aal1",
+			matcher: config.HighestAvailableAAL,
+			creds:   []identity.Credentials{codeV2},
+			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypeCodeAuth]},
+			// No error
+		},
+		{
+			desc:    "with highest_available a empty mfa code user is aal1",
+			matcher: config.HighestAvailableAAL,
+			creds:   []identity.Credentials{codeEmpty},
+			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypeCodeAuth]},
+			withContext: func(t *testing.T, ctx context.Context) context.Context {
+				return confighelpers.WithConfigValues(ctx, map[string]any{
+					"selfservice.methods.code.mfa_enabled": true,
+				})
+			},
+			// No error
+		},
+		{
+			desc:    "with highest_available a password user with empty mfa code is aal1",
+			matcher: config.HighestAvailableAAL,
+			creds:   []identity.Credentials{password, codeEmpty},
+			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypePassword]},
+			withContext: func(t *testing.T, ctx context.Context) context.Context {
+				return confighelpers.WithConfigValues(ctx, map[string]any{
+					"selfservice.methods.code.passwordless_enabled": false,
+					"selfservice.methods.code.mfa_enabled":          true,
+				})
+			},
+			// No error
+		},
 		{
 			desc:    "with highest_available a oidc user is aal1",
 			matcher: config.HighestAvailableAAL,
@@ -690,7 +729,20 @@ func TestDoesSessionSatisfy(t *testing.T) {
 		{
 			desc:    "with highest_available a recovery link user requires aal2 if they have 2fa code configured",
 			matcher: config.HighestAvailableAAL,
-			creds:   []identity.Credentials{},
+			creds:   []identity.Credentials{code},
+			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypeRecoveryLink]},
+			withContext: func(t *testing.T, ctx context.Context) context.Context {
+				return confighelpers.WithConfigValues(ctx, map[string]any{
+					"selfservice.methods.code.passwordless_enabled": false,
+					"selfservice.methods.code.mfa_enabled":          true,
+				})
+			},
+			errIs: new(session.ErrAALNotSatisfied),
+		},
+		{
+			desc:    "with highest_available a recovery link user requires aal2 if they have 2fa code v2 configured",
+			matcher: config.HighestAvailableAAL,
+			creds:   []identity.Credentials{codeV2},
 			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypeRecoveryLink]},
 			withContext: func(t *testing.T, ctx context.Context) context.Context {
 				return confighelpers.WithConfigValues(ctx, map[string]any{
@@ -773,6 +825,19 @@ func TestDoesSessionSatisfy(t *testing.T) {
 				})
 			},
 		},
+		{
+			desc:    "has=aal1, requested=highest, available=aal2, credential=password+codeV2-mfa",
+			matcher: config.HighestAvailableAAL,
+			creds:   []identity.Credentials{password, codeV2},
+			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypePassword]},
+			errAs:   new(session.ErrAALNotSatisfied),
+			withContext: func(t *testing.T, ctx context.Context) context.Context {
+				return confighelpers.WithConfigValues(ctx, map[string]any{
+					"selfservice.methods.code.passwordless_enabled": false,
+					"selfservice.methods.code.mfa_enabled":          true,
+				})
+			},
+		},
 		{
 			desc:    "has=aal1, requested=highest, available=aal2, credential=password+lookup_secrets",
 			matcher: config.HighestAvailableAAL,