fix: unwrap JSONResponse envelope in MFA status UI

devondragon · devondragon · commit 48652c4f808a · 2026-06-11T20:50:13.000-06:00
/user/mfa/status returns {success, messages, data: {mfaEnabled, ...}} but the
badge renderer read the fields from the top level. Every field came back
undefined, so a fully-authenticated user was always shown the 'Additional
Factor Required' badge and never the MFA Active / Fully Authenticated ones.
diff --git a/src/main/resources/static/js/user/webauthn-manage.js b/src/main/resources/static/js/user/webauthn-manage.js
@@ -284,7 +284,15 @@ async function updateMfaStatusUI() {
             return;
         }
 
-        const status = await response.json();
+        // The endpoint wraps the status in the framework's JSONResponse envelope:
+        // { success, messages, data: { mfaEnabled, fullyAuthenticated, ... } }
+        const body = await response.json();
+        const status = body.data;
+        if (!status) {
+            console.warn('MFA status response missing data payload');
+            container.classList.add('d-none');
+            return;
+        }
         container.classList.remove('d-none');
 
         // Build MFA badges using safe DOM methods
