Commit 482313e
authored
docs(auth): document Built-in IdP MFA (TOTP) feature (#148)
* docs(auth): document Built-in IdP MFA (TOTP) feature
The Built-in IdP now supports TOTP-based multi-factor authentication
(tailor-platform/sdk#1541, #1561, #1562; platform-core-services MFA work
through #12233 / #12257). The user-facing guides under `docs/guides/`
did not reflect the new surface, so app developers had no way to learn
how to enable, enforce, or self-service MFA without reading the SDK
reference page.
This documents the consumer-facing behavior in the two guides that are
docs-repo-native:
- `docs/guides/auth/integration/built-in-idp.md` — add a Multi-Factor
Authentication (TOTP) section under userAuthPolicy, splitting the two
flows that are easy to conflate: (a) inline enrollment that the IdP
/signin page handles itself when `requireMfa: true`, and (b)
self-service factor management via `_requestMfaSettingsUrl`, which
issues a per-user MFA settings page URL. Documents `enableMfa`,
`requireMfa`, `allowedReturnOrigins`, `mfaIssuer`, the cross-field
constraints, the `permission.unenrollMfa` requirement, and the two
new GraphQL operations plus the `mfaEnrolled` / `mfaFactorIds` fields
on the User type. Also extends the User Management op list.
- `docs/guides/function/managing-idp-users.md` — extend the runtime
`tailor.idp.Client` interface block with `User.mfaEnrolled`,
`User.mfaFactorIds`, `UnenrollMfaInput`, and `client.unenrollMfa()`,
plus an Unenroll MFA Factor section showing the typical admin
recovery flow.
`docs/sdk/services/idp.md` is intentionally not edited here — it is
auto-synced from the SDK repo by the `sdk-docs-sync` workflow, and the
SDK-side page already covers the SDK-shaped surface (gqlOperations
MFA fields, schema constraints, runtime API).
* docs(auth): clarify requireMfa enrollment + unenrollMfa read requirement
Fix two issues raised in Copilot review on #148:
- built-in-idp.md: the `requireMfa` option description said unenrolled
users must complete enrollment "via the MFA settings page", which
contradicts the inline /signin enrollment flow described two
paragraphs above. Rewrite to point at the inline flow and note that
the application does not need to call _requestMfaSettingsUrl to
bootstrap enrollment.
- managing-idp-users.md: note that `unenrollMfa` additionally requires
read access to the target user (enforced at the dataplane RPC,
mirroring the built-in-idp guide), so a namespace that denies `read`
cannot use `unenrollMfa` either.
* docs(auth): align unenrollMfa example with prose, trim MFA snippet imports
Address Copilot review on c288b80:
- managing-idp-users.md: prose said `unenrollMfa` removes a single
factor while the only example unenrolled every factor via
`Promise.all`, which a copy/paste would reproduce by mistake. Lead
with the single-factor case (the API's actual unit) and present the
full-reset loop as an explicit second example for the lost-device
recovery flow. Pluralize the "no enrolled MFA factors" reason
string while there.
- built-in-idp.md: drop unused imports (`defineConfig`, `defineAuth`,
`user`) from the MFA configuration snippet so the imports actually
match what the snippet declares.
* docs(function): propagate unenrollMfa boolean in example snippets
Address Copilot review on 979a5b0: `Client.unenrollMfa()` returns
`Promise<boolean>`, but both new examples discarded the result and
returned `{ success: true }` unconditionally. That breaks the
convention established by `deleteUser` / `sendPasswordResetEmail`
elsewhere in this guide and would mask a false return from the API.
- Single-factor example now captures and returns the boolean
(`const success = await idpClient.unenrollMfa(...); return { success }`).
- Reset-all example collects the per-factor booleans via
`Promise.all` and aggregates with `results.every(Boolean)`.1 parent 96719c8 commit 482313e
2 files changed
Lines changed: 200 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
505 | 505 | | |
506 | 506 | | |
507 | 507 | | |
| 508 | + | |
| 509 | + | |
| 510 | + | |
| 511 | + | |
| 512 | + | |
| 513 | + | |
| 514 | + | |
| 515 | + | |
| 516 | + | |
| 517 | + | |
| 518 | + | |
| 519 | + | |
| 520 | + | |
| 521 | + | |
| 522 | + | |
| 523 | + | |
| 524 | + | |
| 525 | + | |
| 526 | + | |
| 527 | + | |
| 528 | + | |
| 529 | + | |
| 530 | + | |
| 531 | + | |
| 532 | + | |
| 533 | + | |
| 534 | + | |
| 535 | + | |
| 536 | + | |
| 537 | + | |
| 538 | + | |
| 539 | + | |
| 540 | + | |
| 541 | + | |
| 542 | + | |
| 543 | + | |
| 544 | + | |
| 545 | + | |
| 546 | + | |
| 547 | + | |
| 548 | + | |
| 549 | + | |
| 550 | + | |
| 551 | + | |
| 552 | + | |
| 553 | + | |
| 554 | + | |
| 555 | + | |
| 556 | + | |
| 557 | + | |
| 558 | + | |
| 559 | + | |
| 560 | + | |
| 561 | + | |
| 562 | + | |
| 563 | + | |
| 564 | + | |
| 565 | + | |
| 566 | + | |
| 567 | + | |
| 568 | + | |
| 569 | + | |
| 570 | + | |
| 571 | + | |
| 572 | + | |
| 573 | + | |
| 574 | + | |
| 575 | + | |
| 576 | + | |
| 577 | + | |
| 578 | + | |
| 579 | + | |
| 580 | + | |
| 581 | + | |
| 582 | + | |
| 583 | + | |
| 584 | + | |
| 585 | + | |
| 586 | + | |
| 587 | + | |
| 588 | + | |
| 589 | + | |
| 590 | + | |
| 591 | + | |
| 592 | + | |
| 593 | + | |
| 594 | + | |
| 595 | + | |
| 596 | + | |
| 597 | + | |
| 598 | + | |
| 599 | + | |
| 600 | + | |
| 601 | + | |
| 602 | + | |
| 603 | + | |
| 604 | + | |
| 605 | + | |
| 606 | + | |
| 607 | + | |
| 608 | + | |
| 609 | + | |
| 610 | + | |
| 611 | + | |
| 612 | + | |
| 613 | + | |
| 614 | + | |
| 615 | + | |
| 616 | + | |
| 617 | + | |
| 618 | + | |
| 619 | + | |
| 620 | + | |
| 621 | + | |
| 622 | + | |
| 623 | + | |
| 624 | + | |
| 625 | + | |
| 626 | + | |
| 627 | + | |
| 628 | + | |
| 629 | + | |
| 630 | + | |
| 631 | + | |
| 632 | + | |
| 633 | + | |
| 634 | + | |
| 635 | + | |
| 636 | + | |
| 637 | + | |
| 638 | + | |
| 639 | + | |
| 640 | + | |
| 641 | + | |
| 642 | + | |
| 643 | + | |
| 644 | + | |
| 645 | + | |
| 646 | + | |
| 647 | + | |
| 648 | + | |
| 649 | + | |
| 650 | + | |
| 651 | + | |
| 652 | + | |
508 | 653 | | |
509 | 654 | | |
510 | 655 | | |
| |||
583 | 728 | | |
584 | 729 | | |
585 | 730 | | |
| 731 | + | |
586 | 732 | | |
587 | 733 | | |
588 | 734 | | |
589 | 735 | | |
590 | 736 | | |
591 | 737 | | |
592 | 738 | | |
| 739 | + | |
593 | 740 | | |
594 | 741 | | |
595 | 742 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
| 31 | + | |
| 32 | + | |
31 | 33 | | |
32 | 34 | | |
33 | 35 | | |
| |||
68 | 70 | | |
69 | 71 | | |
70 | 72 | | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
71 | 78 | | |
72 | 79 | | |
73 | 80 | | |
| |||
77 | 84 | | |
78 | 85 | | |
79 | 86 | | |
| 87 | + | |
80 | 88 | | |
81 | 89 | | |
82 | 90 | | |
| |||
329 | 337 | | |
330 | 338 | | |
331 | 339 | | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
| 350 | + | |
| 351 | + | |
| 352 | + | |
| 353 | + | |
| 354 | + | |
| 355 | + | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
| 380 | + | |
| 381 | + | |
| 382 | + | |
| 383 | + | |
| 384 | + | |
332 | 385 | | |
333 | 386 | | |
334 | 387 | | |
| |||
0 commit comments