feat: support MFA via SMS

cmd/clidoc/main.go

@@ -169,6 +169,8 @@
 		"NewInfoSelfServiceRegistrationRegisterCode":              text.NewInfoSelfServiceRegistrationRegisterCode(),
 		"NewErrorValidationLoginLinkedCredentialsDoNotMatch":      text.NewErrorValidationLoginLinkedCredentialsDoNotMatch(),
 		"NewErrorValidationAddressUnknown":                        text.NewErrorValidationAddressUnknown(),
+		"NewInfoSelfServiceLoginCodeMFA":                          text.NewInfoSelfServiceLoginCodeMFA(),
+		"NewInfoSelfServiceLoginCodeMFAHint":                      text.NewInfoSelfServiceLoginCodeMFAHint("{maskedIdentifier}"),
 	}
 }
 
@@ -248,7 +250,7 @@
 	r := regexp.MustCompile(`(?s)<!-- START MESSAGE TABLE -->(.*?)<!-- END MESSAGE TABLE -->`)
 	result := r.ReplaceAllString(string(content), "<!-- START MESSAGE TABLE -->\n"+w.String()+"\n<!-- END MESSAGE TABLE -->")
 
 	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o755)
 	if err != nil {
 		return err
 	}
@@ -267,7 +269,7 @@
 func writeMessagesJson(path string, sortedMessages []*text.Message) error {
 	result := codeEncode(sortedMessages)
 
 	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o755)
 	if err != nil {
 		return err
 	}

contrib/quickstart/kratos/phone-password/identity.schema.json

@@ -1,5 +1,5 @@
 {
-  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/phone-password/identity.schema.json",
   "$schema": "http://json-schema.org/draft-07/schema#",
   "title": "Person",
   "type": "object",
@@ -36,9 +36,6 @@
             "credentials": {
               "password": {
                 "identifier": true
-              },
-              "code": {
-                "identifier": true
               }
             },
             "verification": {

embedx/config.schema.json

@@ -1410,6 +1410,26 @@
             "code": {
               "type": "object",
               "additionalProperties": false,
+              "oneOf": [
+                {
+                  "properties": {
+                    "passwordless_enabled": { "const": true },
+                    "mfa_enabled": { "const": false }
+                  }
+                },
+                {
+                  "properties": {
+                    "mfa_enabled": { "const": true },
+                    "passwordless_enabled": { "const": false }
+                  }
+                },
+                {
+                  "properties": {
+                    "mfa_enabled": { "const": false },
+                    "passwordless_enabled": { "const": false }
+                  }
+                }
+              ],
               "properties": {
                 "passwordless_enabled": {
                   "type": "boolean",

internal/testhelpers/selfservice_login.go

@@ -58,6 +58,7 @@ type initFlowOptions struct {
 	returnTo             string
 	refresh              bool
 	oauth2LoginChallenge string
+	via                  string
 }
 
 func (o *initFlowOptions) apply(opts []InitFlowWithOption) *initFlowOptions {
@@ -86,6 +87,9 @@ func getURLFromInitOptions(ts *httptest.Server, path string, forced bool, opts .
 	if o.oauth2LoginChallenge != "" {
 		q.Set("login_challenge", o.oauth2LoginChallenge)
 	}
+	if o.via != "" {
+		q.Set("via", o.via)
+	}
 
 	u := urlx.ParseOrPanic(ts.URL + path)
 	u.RawQuery = q.Encode()
@@ -118,6 +122,12 @@ func InitFlowWithOAuth2LoginChallenge(hlc string) InitFlowWithOption {
 	}
 }
 
+func InitFlowWithVia(via string) InitFlowWithOption {
+	return func(o *initFlowOptions) {
+		o.via = via
+	}
+}
+
 func InitializeLoginFlowViaBrowser(t *testing.T, client *http.Client, ts *httptest.Server, forced bool, isSPA bool, expectInitError bool, expectGetError bool, opts ...InitFlowWithOption) *kratos.LoginFlow {
 	publicClient := NewSDKCustomClient(ts, client)
 
@@ -164,9 +174,12 @@ func InitializeLoginFlowViaAPI(t *testing.T, client *http.Client, ts *httptest.S
 	if o.aal != "" {
 		req = req.Aal(string(o.aal))
 	}
+	if o.via != "" {
+		req = req.Via(o.via)
+	}
 
-	rs, _, err := req.Execute()
-	require.NoError(t, err)
+	rs, res, err := req.Execute()
+	require.NoError(t, err, "%s", ioutilx.MustReadAll(res.Body))
 	assert.Empty(t, rs.Active)
 
 	return rs

internal/testhelpers/server.go

@@ -33,7 +33,10 @@ func NewKratosServerWithCSRFAndRouters(t *testing.T, reg driver.Registry) (publi
 	ran := negroni.New()
 	ran.UseFunc(x.RedirectAdminMiddleware)
 	ran.UseHandler(ra)
-	public = httptest.NewServer(x.NewTestCSRFHandler(rp, reg))
+	rpn := negroni.New()
+	rpn.UseFunc(x.HTTPLoaderContextMiddleware(reg))
+	rpn.UseHandler(rp)
+	public = httptest.NewServer(x.NewTestCSRFHandler(rpn, reg))
 	admin = httptest.NewServer(ran)
 	ctx := context.Background()
 

selfservice/flow/login/extension_identifier_label.go

@@ -6,32 +6,57 @@ package login
 import (
 	"context"
 
+	"github.com/pkg/errors"
+	"github.com/samber/lo"
+
+	"github.com/ory/herodot"
 	"github.com/ory/kratos/text"
 
 	"github.com/ory/jsonschema/v3"
 	"github.com/ory/kratos/schema"
 )
 
 type identifierLabelExtension struct {
+	field                     string
 	identifierLabelCandidates []string
 }
 
-var _ schema.CompileExtension = new(identifierLabelExtension)
+var (
+	_               schema.CompileExtension = new(identifierLabelExtension)
+	ErrUnknownTrait                         = herodot.ErrBadRequest.WithReasonf("Trait does not exist in identity schema")
+)
 
 func GetIdentifierLabelFromSchema(ctx context.Context, schemaURL string) (*text.Message, error) {
-	ext := &identifierLabelExtension{}
+	return GetIdentifierLabelFromSchemaWithField(ctx, schemaURL, "")
+}
+
+func GetIdentifierLabelFromSchemaWithField(ctx context.Context, schemaURL string, trait string) (*text.Message, error) {
+	ext := &identifierLabelExtension{
+		field: trait,
+	}
 
 	runner, err := schema.NewExtensionRunner(ctx, schema.WithCompileRunners(ext))
 	if err != nil {
 		return nil, err
 	}
 	c := jsonschema.NewCompiler()
+	c.ExtractAnnotations = true
 	runner.Register(c)
 
-	_, err = c.Compile(ctx, schemaURL)
+	s, err := c.Compile(ctx, schemaURL)
 	if err != nil {
 		return nil, err
 	}
+
+	if trait != "" {
+		f, ok := s.Properties["traits"].Properties[trait]
+		if !ok {
+			knownTraits := lo.Keys(s.Properties["traits"].Properties)
+			return nil, errors.WithStack(ErrUnknownTrait.WithDetail("trait", trait).WithDetail("known_traits", knownTraits))
+		}
+		return text.NewInfoNodeLabelGenerated(f.Title), nil
+	}
+
 	metaLabel := text.NewInfoNodeLabelID()
 	if label := ext.getLabel(); label != "" {
 		metaLabel = text.NewInfoNodeLabelGenerated(label)

selfservice/flow/login/handler.go

@@ -293,6 +293,11 @@ type createNativeLoginFlow struct {
 	//
 	// in: query
 	ReturnTo string `json:"return_to"`
+
+	// Via should contain the identity's credential the code should be sent to. Only relevant in aal2 flows.
+	//
+	// in: query
+	Via string `json:"via"`
 }
 
 // swagger:route GET /self-service/login/api frontend createNativeLoginFlow

selfservice/strategy/code/.snapshots/TestLoginCodeStrategy-test=Browser_client-suite=mfa-case=verify_initial_payload.json

@@ -0,0 +1,84 @@
+{
+  "organization_id": null,
+  "refresh": false,
+  "requested_aal": "aal2",
+  "state": "choose_method",
+  "type": "browser",
+  "ui": {
+    "messages": [
+      {
+        "id": 1010004,
+        "text": "Please complete the second authentication challenge.",
+        "type": "info"
+      }
+    ],
+    "method": "POST",
+    "nodes": [
+      {
+        "attributes": {
+          "disabled": false,
+          "name": "csrf_token",
+          "node_type": "input",
+          "required": true,
+          "type": "hidden"
+        },
+        "group": "default",
+        "messages": [],
+        "meta": {},
+        "type": "input"
+      },
+      {
+        "attributes": {
+          "disabled": false,
+          "name": "identifier",
+          "node_type": "input",
+          "required": true,
+          "type": "text",
+          "value": ""
+        },
+        "group": "default",
+        "messages": [
+          {
+            "context": {
+              "maskedTo": "fi****@ory.sh"
+            },
+            "id": 1010020,
+            "text": "We will send a code to fi****@ory.sh. To verify that this is your address please enter it here.",
+            "type": "info"
+          }
+        ],
+        "meta": {
+          "label": {
+            "context": {
+              "title": "Email"
+            },
+            "id": 1070002,
+            "text": "Email",
+            "type": "info"
+          }
+        },
+        "type": "input"
+      },
+      {
+        "attributes": {
+          "disabled": false,
+          "name": "method",
+          "node_type": "input",
+          "type": "submit",
+          "value": "code"
+        },
+        "group": "code",
+        "messages": [],
+        "meta": {
+          "label": {
+            "id": 1010019,
+            "text": "Continue with code",
+            "type": "info"
+          }
+        },
+        "type": "input"
+      }
+    ]
+  }
+}
+