Skip to content

feat(auth): web multi-step bridge — resume MFA after usernameless approve/QR (#2,#6) [WIP]#204

Closed
ahmetabdullahgultekin wants to merge 2 commits into
mainfrom
feat/approve-qr-mfa-bridge-web-2026-06-03
Closed

feat(auth): web multi-step bridge — resume MFA after usernameless approve/QR (#2,#6) [WIP]#204
ahmetabdullahgultekin wants to merge 2 commits into
mainfrom
feat/approve-qr-mfa-bridge-web-2026-06-03

Conversation

@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor

ApproveLoginPanel onMfaPending + LoginMfaFlow resumeSession inject the approved mfaSessionToken+availableMethods into the step-up flow instead of dead-ending. Additive/reversible; typechecks. DRAFT — verify with backend bridge + 2 devices before merge.

🤖 Generated with Claude Code

ahmetabdullahgultekin and others added 2 commits June 2, 2026 18:56
…n hosted page

The hosted login page (verify.fivucsas.com) resolved its initial login-config
by OAuth clientId, which maps to the client's bound tenant — the dashboard/mobile
client lives on the `system` sentinel tenant, so a fivucsas user saw the SYSTEM
flow shape (and 'system' branding) until they submitted. LoginMfaFlow already
called /auth/login/preflight at the identifier step but discarded the resolved
LoginConfig; now it hands it up via onPreflightResolved and HostedLoginApp swaps
the displayed config to the user's ACTUAL tenant flow (step list / methods /
branding). Display-only: the backend already enforces the user's flow at
/auth/login. Enumeration-safe (unknown email -> platform-default config) and
fallback-preserving (null/older API leaves the config untouched).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rove/QR (#2,#6) [WIP — integrate onto fix/predemo-web-2026-06-03 + verify before deploy]

ApproveLoginPanel onMfaPending + LoginMfaFlow resumeSession inject the approved mfaSessionToken+availableMethods into the step-up flow instead of dead-ending at 'continue here'. Additive/reversible.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor Author

Superseded by #220 (fix/login-flow-triage-2026-06-12), which implements the full usernameless Layer-1 → MFA continuation bridge (shared Layer1Continuation + onMfaRequired threading mfaSessionToken+availableMethods across LoginPage/HostedLoginApp/LoginMfaFlow) plus F4 regroup, F7 picker gating, F6, F10 — CI-green and tested (1211 vitest). This 2026-06-03 WIP is fully covered there. Branch retained (not deleted) in case any unique approach needs salvage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant