fix(mfa): match getAuthenticators by Authenticator.type field#998
fix(mfa): match getAuthenticators by Authenticator.type field#998utkrishtsahu wants to merge 1 commit into
Conversation
📝 WalkthroughWalkthroughAuthenticator filtering in MfaApiClient was changed from alias/effective-type matching (e.g., sms/phone, otp/totp) to exact case-sensitive equality against the authenticator's type field. Documentation and examples were updated accordingly, and a test mock was updated to include the type field. ChangesAuthenticator Filtering Update
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Caller
participant MfaApiClient
participant FilteringAdapter
Caller->>MfaApiClient: getAuthenticators(factorsAllowed)
MfaApiClient->>FilteringAdapter: createFilteringAuthenticatorsAdapter(factorsAllowed)
FilteringAdapter->>FilteringAdapter: filter authenticator where factorsAllowed.contains(type)
FilteringAdapter-->>MfaApiClient: filtered authenticators
MfaApiClient-->>Caller: return result
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt (1)
305-319: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winSame
"phone"vs"oob"concern applies to this doc block.This restates the exact-match filtering contract using
factorsAllowed = ["phone", "email", "otp"]as an example. Same concern as the public KDoc above — please confirm this matches the realAuthenticator.typevalues returned byGET /mfa/authenticators.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt` around lines 305 - 319, The KDoc for the JSON adapter in MfaApiClient still uses examples that may not match the real Authenticator.type values returned by GET /mfa/authenticators. Update the doc block to use only documented/verified factor-type examples and make the exact-match filtering contract consistent with the actual API response values; locate the affected text in the adapter documentation near the filtering description.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt`:
- Around line 127-140: The KDoc example in MfaApiClient.getAuthenticators uses
outdated factor values that won’t match SMS/email authenticators. Update the
sample callback and the `@param` factorsAllowed examples to use "oob" instead of
"phone" and "email", keeping the exact-match filtering note aligned with
Authenticator.type.
---
Duplicate comments:
In `@auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt`:
- Around line 305-319: The KDoc for the JSON adapter in MfaApiClient still uses
examples that may not match the real Authenticator.type values returned by GET
/mfa/authenticators. Update the doc block to use only documented/verified
factor-type examples and make the exact-match filtering contract consistent with
the actual API response values; locate the affected text in the adapter
documentation near the filtering description.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 653affda-cf64-4839-b7ef-2ed4fdc1f553
📒 Files selected for processing (3)
EXAMPLES.mdauth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.ktauth0/src/test/java/com/auth0/android/authentication/MfaApiClientTest.kt
| * mfaClient.getAuthenticators(listOf("otp", "phone")) | ||
| * .start(object : Callback<List<Authenticator>, MfaListAuthenticatorsException> { | ||
| * override fun onSuccess(result: List<Authenticator>) { | ||
| * // Only OTP and OOB authenticators returned | ||
| * // Only authenticators whose `type` is "otp" or "phone" are returned | ||
| * } | ||
| * override fun onFailure(error: MfaListAuthenticatorsException) { } | ||
| * }) | ||
| * ``` | ||
| * | ||
| * @param factorsAllowed Array of factor types to filter the authenticators (e.g., `["otp", "oob", "recovery-code"]`). | ||
| * Filtering matches each authenticator's [Authenticator.type] field against the | ||
| * provided values using exact (case-sensitive) equality. | ||
| * | ||
| * @param factorsAllowed Array of factor types to filter the authenticators (e.g., `["otp", "phone", "email", "recovery-code"]`). | ||
| * Must contain at least one factor type. |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
What is the actual type field value returned by Auth0's GET /mfa/authenticators endpoint for a phone/SMS-based authenticator — "phone" or "oob"?
💡 Result:
For phone or SMS-based authenticators in Auth0, the actual field returned by the GET /mfa/authenticators endpoint is authenticator_type, and its value is "oob" [1][2]. While you may encounter the term "phone" in other parts of the Auth0 ecosystem—such as in configuration parameters, Management API requests, or MFA challenge requirement lists [3][4][5][2]—the specific authenticator_type field used to identify SMS or Voice factors within the list of enrolled authenticators is "oob" [1][2]. The specific transport method (e.g., SMS or Voice) is then provided in a separate field called oob_channel [1][2].
Citations:
- 1: https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api
- 2: https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators
- 3: https://auth0.com/docs/api/management/v2/users/post-authentication-methods
- 4: https://auth0.mintlify.app/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators
- 5: https://auth0.com/docs/secure/multi-factor-authentication/customize-mfa/customize-mfa-selection-universal-login
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the relevant client and test references.
git ls-files 'auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt' \
'auth0/src/test/**/MfaApiClientTest.kt' \
'auth0/src/**/MfaApiClientTest.kt' \
'auth0/src/**/mfa/**' | sed 's#^`#-` #'
printf '\n== MfaApiClient.kt excerpt ==\n'
sed -n '110,155p' auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt
printf '\n== Search for factor/type values in tests ==\n'
rg -n '"type"\s*:\s*"(oob|otp|phone|email|recovery-code)"|factorsAllowed|Authenticator.type|oob_channel|authenticator_type' auth0/src/test auth0/src/main -g '*MfaApiClientTest.kt' -g '*.kt'Repository: auth0/Auth0.Android
Length of output: 8536
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the specific test regions mentioned by the review comment.
test_file=$(git ls-files 'auth0/src/test/**/MfaApiClientTest.kt' 'auth0/src/**/MfaApiClientTest.kt' | head -n 1)
if [ -z "$test_file" ]; then
echo "MfaApiClientTest.kt not found"
exit 0
fi
printf 'Using test file: %s\n' "$test_file"
for range in '240,270' '296,330' '340,390' '830,860'; do
printf '\n== %s lines %s ==\n' "$test_file" "$range"
sed -n "${range}p" "$test_file"
doneRepository: auth0/Auth0.Android
Length of output: 6455
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read the surrounding code and nearby tests that define the expected factor values.
printf '\n== MfaApiClient.kt around the documented example ==\n'
sed -n '120,145p' auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt
printf '\n== Search for API/model docs and test fixtures mentioning MFA authenticator types ==\n'
rg -n 'oob|otp|phone|email|recovery-code|authenticator_type|Authenticator.type|getAuthenticators' auth0/src/main/java auth0/src/test -g '*.kt'Repository: auth0/Auth0.Android
Length of output: 50377
Use oob here instead of phone/email
GET /mfa/authenticators returns Authenticator.type == "oob" for SMS/email authenticators, so the example currently suggests filter values that won’t match those items. Update the KDoc sample and factorsAllowed examples to use oob.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt`
around lines 127 - 140, The KDoc example in MfaApiClient.getAuthenticators uses
outdated factor values that won’t match SMS/email authenticators. Update the
sample callback and the `@param` factorsAllowed examples to use "oob" instead of
"phone" and "email", keeping the exact-match filtering note aligned with
Authenticator.type.
Changes
This change updates how
MfaApiClient.getAuthenticators(factorsAllowed)filters the authenticators returned by theGET /mfa/authenticatorsendpoint.What changed
Authenticator.typevalue directly against thefactorsAllowedlist using exact (case-sensitive) equality. Previously the SDK derived an "effective type" by inspectingoob_channelandauthenticator_type(with aliasing, e.g.sms/phone,otp/totp, and treatingoobas a wildcard). That derivation and its helpers have been removed.matchesFactorType(...)andgetEffectiveType(...)inMfaApiClient.getAuthenticators(factorsAllowed: List<String>)keeps the same signature; only its internal filtering behavior changed.MfaApiClientKDoc andEXAMPLES.mdupdated so thefactorsAllowedexamples use the same factor values as thetypefield (e.g.phone,email,otp,recovery-code) instead of channel-level values likesms/oob.Why it matters
The
factorsAllowedvalues now map one-to-one to theAuthenticator.typefield, so filtering is predictable and matches the values a caller gets fromMfaRequirements(MfaFactor.type). This is a behavioral change: callers passing channel-level or wildcard values such assmsoroobwill no longer match — they should pass the resolvedtypevalue (e.g.phone).Usage
References
Testing
The getAuthenticators unit tests in MfaApiClientTest were updated/verified to exercise the exact-type matching: fixtures include a top-level type field and assert that only authenticators whose type is in factorsAllowed are returned. One fixture (shouldGetAuthenticatorsWithCallback) was updated to include the type field so it reflects a realistic response.
This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not
Checklist
I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors
Summary by CodeRabbit
Documentation
Bug Fixes