feat(clerk-js,ui): Introduce setup MFA session task (#7626)

Author: octoper

.changeset/great-bats-attack.md

@@ -0,0 +1,12 @@
+---
+'@clerk/tanstack-react-start': minor
+'@clerk/localizations': minor
+'@clerk/react-router': minor
+'@clerk/clerk-js': minor
+'@clerk/nextjs': minor
+'@clerk/shared': minor
+'@clerk/react': minor
+'@clerk/ui': minor
+---
+
+Introducing `setup_mfa` session task

integration/presets/envs.ts

@@ -158,6 +158,13 @@ const withSessionTasksResetPassword = base
   .setEnvVariable('private', 'CLERK_SECRET_KEY', instanceKeys.get('with-session-tasks-reset-password').sk)
   .setEnvVariable('public', 'CLERK_PUBLISHABLE_KEY', instanceKeys.get('with-session-tasks-reset-password').pk);
 
+const withSessionTasksSetupMfa = base
+  .clone()
+  .setId('withSessionTasksSetupMfa')
+  .setEnvVariable('private', 'CLERK_SECRET_KEY', instanceKeys.get('with-session-tasks-setup-mfa').sk)
+  .setEnvVariable('public', 'CLERK_PUBLISHABLE_KEY', instanceKeys.get('with-session-tasks-setup-mfa').pk)
+  .setEnvVariable('private', 'CLERK_ENCRYPTION_KEY', constants.E2E_CLERK_ENCRYPTION_KEY || 'a-key');
+
 const withBillingJwtV2 = base
   .clone()
   .setId('withBillingJwtV2')
@@ -216,6 +223,7 @@ export const envs = {
   withSessionTasks,
   withSessionTasksResetPassword,
   withSharedUIVariant,
+  withSessionTasksSetupMfa,
   withSignInOrUpEmailLinksFlow,
   withSignInOrUpFlow,
   withSignInOrUpwithRestrictedModeFlow,

integration/presets/longRunningApps.ts

@@ -31,6 +31,7 @@ export const createLongRunningApps = () => {
     { id: 'next.appRouter.withSignInOrUpEmailLinksFlow', config: next.appRouter, env: envs.withSignInOrUpEmailLinksFlow },
     { id: 'next.appRouter.withSessionTasks', config: next.appRouter, env: envs.withSessionTasks },
     { id: 'next.appRouter.withSessionTasksResetPassword', config: next.appRouter, env: envs.withSessionTasksResetPassword },
+    { id: 'next.appRouter.withSessionTasksSetupMfa', config: next.appRouter, env: envs.withSessionTasksSetupMfa },
     { id: 'next.appRouter.withLegalConsent', config: next.appRouter, env: envs.withLegalConsent },
     { id: 'next.appRouter.withNeedsClientTrust', config: next.appRouter, env: envs.withNeedsClientTrust },
     { id: 'next.appRouter.withSharedUIVariant', config: next.appRouter, env: envs.withSharedUIVariant },

integration/tests/session-tasks-setup-mfa.test.ts

@@ -0,0 +1,206 @@
+import { expect, test } from '@playwright/test';
+
+import { appConfigs } from '../presets';
+import { createTestUtils, testAgainstRunningApps } from '../testUtils';
+import { stringPhoneNumber } from '../testUtils/phoneUtils';
+import { fakerPhoneNumber } from '../testUtils/usersService';
+
+testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasksSetupMfa] })(
+  'session tasks setup-mfa flow @nextjs',
+  ({ app }) => {
+    test.describe.configure({ mode: 'serial' });
+
+    test.afterAll(async () => {
+      await app.teardown();
+    });
+
+    test.afterEach(async ({ page, context }) => {
+      const u = createTestUtils({ app, page, context });
+      await u.page.signOut();
+      await u.page.context().clearCookies();
+    });
+
+    test('setup MFA with new phone number - happy path', async ({ page, context }) => {
+      const u = createTestUtils({ app, page, context });
+      const user = u.services.users.createFakeUser({
+        fictionalEmail: true,
+        withPassword: true,
+      });
+      await u.services.users.createBapiUser(user);
+
+      await u.po.signIn.goTo();
+      await u.po.signIn.waitForMounted();
+      await u.po.signIn.signInWithEmailAndInstantPassword({ email: user.email, password: user.password });
+      await u.po.expect.toBeSignedIn();
+
+      await u.page.goToRelative('/page-protected');
+
+      await u.page.getByText(/set up two-step verification/i).waitFor({ state: 'visible' });
+
+      await u.page.getByRole('button', { name: /sms code/i }).click();
+
+      const testPhoneNumber = fakerPhoneNumber();
+      await u.po.signIn.getPhoneNumberInput().fill(testPhoneNumber);
+      await u.page.getByRole('button', { name: /continue/i }).click();
+
+      await u.po.signIn.enterTestOtpCode();
+
+      await u.page.getByText(/save these backup codes/i).waitFor({ state: 'visible', timeout: 10000 });
+
+      await u.po.signIn.continue();
+
+      await u.page.waitForAppUrl('/page-protected');
+      await u.po.expect.toBeSignedIn();
+
+      await user.deleteIfExists();
+    });
+
+    test('setup MFA with existing phone number - happy path', async ({ page, context }) => {
+      const u = createTestUtils({ app, page, context });
+      const user = u.services.users.createFakeUser({
+        fictionalEmail: true,
+        withPhoneNumber: true,
+        withPassword: true,
+      });
+      await u.services.users.createBapiUser(user);
+
+      await u.po.signIn.goTo();
+      await u.po.signIn.waitForMounted();
+      await u.po.signIn.signInWithEmailAndInstantPassword({ email: user.email, password: user.password });
+      await u.po.expect.toBeSignedIn();
+
+      await u.page.goToRelative('/page-protected');
+
+      await u.page.getByText(/set up two-step verification/i).waitFor({ state: 'visible' });
+
+      await u.page.getByRole('button', { name: /sms code/i }).click();
+
+      const formattedPhoneNumber = stringPhoneNumber(user.phoneNumber);
+      await u.page
+        .getByRole('button', {
+          name: formattedPhoneNumber,
+        })
+        .click();
+
+      await u.page.getByText(/save these backup codes/i).waitFor({ state: 'visible', timeout: 10000 });
+
+      await u.po.signIn.continue();
+
+      await u.page.waitForAppUrl('/page-protected');
+      await u.po.expect.toBeSignedIn();
+
+      await user.deleteIfExists();
+    });
+
+    test('setup MFA with invalid phone number - error handling', async ({ page, context }) => {
+      const u = createTestUtils({ app, page, context });
+      const user = u.services.users.createFakeUser({
+        fictionalEmail: true,
+        withPassword: true,
+      });
+      await u.services.users.createBapiUser(user);
+
+      await u.po.signIn.goTo();
+      await u.po.signIn.waitForMounted();
+      await u.po.signIn.signInWithEmailAndInstantPassword({ email: user.email, password: user.password });
+      await u.po.expect.toBeSignedIn();
+
+      await u.page.goToRelative('/page-protected');
+
+      await u.page.getByText(/set up two-step verification/i).waitFor({ state: 'visible' });
+
+      await u.page.getByRole('button', { name: /sms code/i }).click();
+
+      const invalidPhoneNumber = '123091293193091311';
+      await u.po.signIn.getPhoneNumberInput().fill(invalidPhoneNumber);
+      await u.po.signIn.continue();
+      // we need to improve this error message
+      await expect(u.page.getByTestId('form-feedback-error')).toBeVisible();
+
+      const validPhoneNumber = fakerPhoneNumber();
+      await u.po.signIn.getPhoneNumberInput().fill(validPhoneNumber);
+      await u.po.signIn.continue();
+
+      await u.po.signIn.enterTestOtpCode();
+
+      await u.page.getByText(/save these backup codes/i).waitFor({ state: 'visible', timeout: 10000 });
+
+      await u.po.signIn.continue();
+
+      await u.page.waitForAppUrl('/page-protected');
+      await u.po.expect.toBeSignedIn();
+
+      await user.deleteIfExists();
+    });
+
+    test('setup MFA with invalid verification code - error handling', async ({ page, context }) => {
+      const u = createTestUtils({ app, page, context });
+      const user = u.services.users.createFakeUser({
+        fictionalEmail: true,
+        withPassword: true,
+      });
+      await u.services.users.createBapiUser(user);
+
+      await u.po.signIn.goTo();
+      await u.po.signIn.waitForMounted();
+      await u.po.signIn.signInWithEmailAndInstantPassword({ email: user.email, password: user.password });
+      await u.po.expect.toBeSignedIn();
+
+      await u.page.goToRelative('/page-protected');
+
+      await u.page.getByText(/set up two-step verification/i).waitFor({ state: 'visible' });
+
+      await u.page.getByRole('button', { name: /sms code/i }).click();
+
+      const testPhoneNumber = fakerPhoneNumber();
+      await u.po.signIn.getPhoneNumberInput().fill(testPhoneNumber);
+      await u.po.signIn.continue();
+
+      await u.po.signIn.enterOtpCode('111111', {
+        awaitRequests: false,
+      });
+
+      await expect(u.page.getByTestId('form-feedback-error')).toBeVisible();
+
+      await user.deleteIfExists();
+    });
+
+    test('can navigate back during MFA setup', async ({ page, context }) => {
+      const u = createTestUtils({ app, page, context });
+      const user = u.services.users.createFakeUser({
+        fictionalEmail: true,
+        withPhoneNumber: true,
+        withPassword: true,
+      });
+      await u.services.users.createBapiUser(user);
+
+      await u.po.signIn.goTo();
+      await u.po.signIn.waitForMounted();
+      await u.po.signIn.signInWithEmailAndInstantPassword({ email: user.email, password: user.password });
+      await u.po.expect.toBeSignedIn();
+
+      await u.page.goToRelative('/page-protected');
+
+      await u.page.getByText(/set up two-step verification/i).waitFor({ state: 'visible' });
+
+      await u.page.getByRole('button', { name: /sms code/i }).click();
+
+      const formattedPhoneNumber = stringPhoneNumber(user.phoneNumber);
+      await u.page
+        .getByRole('button', {
+          name: formattedPhoneNumber,
+        })
+        .waitFor({ state: 'visible' });
+
+      await u.page
+        .getByRole('button', { name: /cancel/i })
+        .first()
+        .click();
+
+      await u.page.getByText(/set up two-step verification/i).waitFor({ state: 'visible' });
+      await u.page.getByRole('button', { name: /sms code/i }).waitFor({ state: 'visible' });
+
+      await user.deleteIfExists();
+    });
+  },
+);

packages/clerk-js/sandbox/app.ts

@@ -34,6 +34,7 @@ const AVAILABLE_COMPONENTS = [
   'oauthConsent',
   'taskChooseOrganization',
   'taskResetPassword',
+  'taskSetupMFA',
 ] as const;
 type AvailableComponent = (typeof AVAILABLE_COMPONENTS)[number];
 
@@ -137,6 +138,7 @@ const componentControls: Record<AvailableComponent, ComponentPropsControl> = {
   oauthConsent: buildComponentControls('oauthConsent'),
   taskChooseOrganization: buildComponentControls('taskChooseOrganization'),
   taskResetPassword: buildComponentControls('taskResetPassword'),
+  taskSetupMFA: buildComponentControls('taskSetupMFA'),
 };
 
 declare global {
@@ -419,6 +421,14 @@ void (async () => {
         },
       );
     },
+    '/task-setup-mfa': () => {
+      Clerk.mountTaskSetupMfa(
+        app,
+        componentControls.taskSetupMFA.getProps() ?? {
+          redirectUrlComplete: '/user-profile',
+        },
+      );
+    },
     '/open-sign-in': () => {
       mountOpenSignInButton(app, componentControls.signIn.getProps() ?? {});
     },

packages/clerk-js/sandbox/template.html

@@ -169,6 +169,14 @@
               TaskChooseOrganization
             </a>
           </li>
+          <li class="relative">
+            <a
+              class="relative isolate flex w-full rounded-md border border-white px-2 py-[0.4375rem] text-sm hover:bg-gray-50 aria-[current]:bg-gray-50"
+              href="/task-setup-mfa"
+            >
+              TaskSetupMFA
+            </a>
+          </li>
           <li class="relative">
             <a
               class="relative isolate flex w-full rounded-md border border-white px-2 py-[0.4375rem] text-sm hover:bg-gray-50 aria-[current]:bg-gray-50"

packages/clerk-js/src/core/clerk.ts

@@ -113,6 +113,7 @@ import type {
   SignUpResource,
   TaskChooseOrganizationProps,
   TaskResetPasswordProps,
+  TaskSetupMFAProps,
   TasksRedirectOptions,
   UnsubscribeCallback,
   UserAvatarProps,
@@ -1439,6 +1440,28 @@ export class Clerk implements ClerkInterface {
     void this.#clerkUi?.then(ui => ui.ensureMounted()).then(controls => controls.unmountComponent({ node }));
   };
 
+  public mountTaskSetupMfa = (node: HTMLDivElement, props?: TaskSetupMFAProps) => {
+    this.assertComponentsReady(this.#clerkUi);
+
+    const component = 'TaskSetupMFA';
+    void this.#clerkUi
+      .then(ui => ui.ensureMounted())
+      .then(controls =>
+        controls.mountComponent({
+          name: component,
+          appearanceKey: 'taskSetupMfa',
+          node,
+          props,
+        }),
+      );
+
+    this.telemetry?.record(eventPrebuiltComponentMounted('TaskSetupMfa', props));
+  };
+
+  public unmountTaskSetupMfa = (node: HTMLDivElement) => {
+    void this.#clerkUi?.then(ui => ui.ensureMounted()).then(controls => controls.unmountComponent({ node }));
+  };
+
   /**
    * `setActive` can be used to set the active session and/or organization.
    */

packages/localizations/package.json

@@ -59,7 +59,7 @@
     "dev": "tsup --watch",
     "format": "node ../../scripts/format-package.mjs",
     "format:check": "node ../../scripts/format-package.mjs --check",
-    "generate": "tsc src/utils/generate.ts && node src/utils/generate.js && prettier --write src/*.ts",
+    "generate": "tsc -p tsconfig.generate.json && node --experimental-vm-modules src/utils/generate.js && rimraf tmp && prettier --write src/*.ts",
     "lint": "eslint src",
     "lint:attw": "attw --pack . --profile node16"
   },