logto-io
diff --git a/‎.gitignore
Lines changed: 3 additions & 0 deletions b/‎.gitignore
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/core/src/__mocks__/user.ts
Lines changed: 7 additions & 0 deletions b/‎packages/core/src/__mocks__/user.ts
Lines changed: 7 additions & 0 deletions
diff --git a/‎packages/core/src/routes/account/index.openapi.json
Lines changed: 33 additions & 0 deletions b/‎packages/core/src/routes/account/index.openapi.json
Lines changed: 33 additions & 0 deletions
diff --git a/‎packages/core/src/routes/account/index.ts
Lines changed: 72 additions & 0 deletions b/‎packages/core/src/routes/account/index.ts
Lines changed: 72 additions & 0 deletions
diff --git a/‎packages/integration-tests/src/api/my-account.ts
Lines changed: 13 additions & 0 deletions b/‎packages/integration-tests/src/api/my-account.ts
Lines changed: 13 additions & 0 deletions
@@ -33,6 +33,9 @@ cache
 fly.toml
 dump.rdb
 
+# Claude local files
+.claude/
+
 # connectors
 /packages/core/connectors
 
 
@@ -19,6 +19,7 @@ export const mockUser: User = {
   },
   logtoConfig: {},
   mfaVerifications: [],
+  requireMfaOnSignIn: true,
   customData: {},
   profile: {},
   applicationId: 'bar',
@@ -76,6 +77,7 @@ export const mockUserWithPassword: User = {
   customData: {},
   logtoConfig: {},
   mfaVerifications: [],
+  requireMfaOnSignIn: true,
   profile: {},
   applicationId: 'bar',
   lastSignInAt: 1_650_969_465_789,
@@ -99,6 +101,7 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    requireMfaOnSignIn: true,
     profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
@@ -120,6 +123,7 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    requireMfaOnSignIn: true,
     profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
@@ -141,6 +145,7 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    requireMfaOnSignIn: true,
     profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
@@ -162,6 +167,7 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    requireMfaOnSignIn: true,
     profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
@@ -183,6 +189,7 @@ export const mockUserList: User[] = [
     customData: {},
     logtoConfig: {},
     mfaVerifications: [],
+    requireMfaOnSignIn: true,
     profile: {},
     applicationId: 'bar',
     lastSignInAt: 1_650_969_465_000,
 
@@ -139,6 +139,39 @@
         }
       }
     },
+    "/api/my-account/mfa-settings": {
+      "get": {
+        "operationId": "GetMfaSettings",
+        "summary": "Get MFA settings",
+        "tags": ["Dev feature"],
+        "description": "Get MFA settings for the user. This endpoint requires the Identities scope. Returns current MFA configuration preferences.",
+        "responses": {
+          "200": {
+            "description": "The MFA settings were retrieved successfully."
+          },
+          "401": {
+            "description": "Permission denied, insufficient scope or MFA field not enabled."
+          }
+        }
+      },
+      "patch": {
+        "operationId": "UpdateMfaSettings",
+        "summary": "Update MFA settings",
+        "tags": ["Dev feature"],
+        "description": "Update MFA settings for the user. This endpoint requires identity verification and the Identities scope. Controls whether MFA verification is required during sign-in when the user has MFA configured.",
+        "responses": {
+          "204": {
+            "description": "The MFA settings were updated successfully."
+          },
+          "400": {
+            "description": "The request body is invalid."
+          },
+          "401": {
+            "description": "Permission denied, identity verification is required or insufficient scope."
+          }
+        }
+      }
+    },
     "/api/my-account/primary-email": {
       "post": {
         "operationId": "UpdatePrimaryEmail",
 
@@ -9,6 +9,7 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
+import { EnvSet } from '../../env-set/index.js';
 import RequestError from '../../errors/RequestError/index.js';
 import { encryptUserPassword } from '../../libraries/user.utils.js';
 import assertThat from '../../utils/assert-that.js';
@@ -180,6 +181,77 @@ export default function accountRoutes<T extends UserRouter>(...args: RouterInitA
     }
   );
 
+  if (EnvSet.values.isDevFeaturesEnabled) {
+    router.get(
+      `${accountApiPrefix}/mfa-settings`,
+      koaGuard({
+        response: z.object({
+          requireMfaOnSignIn: z.boolean(),
+        }),
+        status: [200, 400, 401],
+      }),
+      async (ctx, next) => {
+        const { id: userId, scopes } = ctx.auth;
+
+        assertThat(
+          scopes.has(UserScope.Identities),
+          new RequestError({ code: 'auth.unauthorized', status: 401 })
+        );
+        const { fields } = ctx.accountCenter;
+        assertThat(
+          fields.mfa === AccountCenterControlValue.Edit ||
+            fields.mfa === AccountCenterControlValue.ReadOnly,
+          new RequestError({ code: 'account_center.field_not_enabled', status: 400 })
+        );
+
+        const user = await findUserById(userId);
+        ctx.body = {
+          requireMfaOnSignIn: user.requireMfaOnSignIn,
+        };
+
+        return next();
+      }
+    );
+
+    router.patch(
+      `${accountApiPrefix}/mfa-settings`,
+      koaGuard({
+        body: z.object({
+          requireMfaOnSignIn: z.boolean(),
+        }),
+        status: [204, 400, 401],
+      }),
+      async (ctx, next) => {
+        const { id: userId, identityVerified, scopes } = ctx.auth;
+
+        assertThat(
+          identityVerified,
+          new RequestError({ code: 'verification_record.permission_denied', status: 401 })
+        );
+        assertThat(
+          scopes.has(UserScope.Identities),
+          new RequestError({ code: 'auth.unauthorized', status: 401 })
+        );
+        const { requireMfaOnSignIn } = ctx.guard.body;
+        const { fields } = ctx.accountCenter;
+        assertThat(
+          fields.mfa === AccountCenterControlValue.Edit,
+          new RequestError({ code: 'account_center.field_not_editable', status: 400 })
+        );
+
+        const updatedUser = await updateUserById(userId, {
+          requireMfaOnSignIn,
+        });
+
+        ctx.appendDataHookContext('User.Data.Updated', { user: updatedUser });
+
+        ctx.status = 204;
+
+        return next();
+      }
+    );
+  }
+
   emailAndPhoneRoutes(...args);
   identitiesRoutes(...args);
   mfaVerificationsRoutes(...args);
 
@@ -109,3 +109,16 @@ export const deleteMfaVerification = async (
   api.delete(`api/my-account/mfa-verifications/${verificationId}`, {
     headers: { [verificationRecordIdHeader]: verificationRecordId },
   });
+
+export const getMfaSettings = async (api: KyInstance) =>
+  api.get('api/my-account/mfa-settings').json<{ requireMfaOnSignIn: boolean }>();
+
+export const updateMfaSettings = async (
+  api: KyInstance,
+  verificationRecordId: string,
+  requireMfaOnSignIn: boolean
+) =>
+  api.patch('api/my-account/mfa-settings', {
+    json: { requireMfaOnSignIn },
+    headers: { [verificationRecordIdHeader]: verificationRecordId },
+  });