diff --git a/packages/core/auth-js/src/GoTrueClient.ts b/packages/core/auth-js/src/GoTrueClient.ts index 10c738438..e0721385d 100644 --- a/packages/core/auth-js/src/GoTrueClient.ts +++ b/packages/core/auth-js/src/GoTrueClient.ts @@ -3394,7 +3394,40 @@ export default class GoTrueClient { /** * {@see GoTrueMFAApi#getAuthenticatorAssuranceLevel} */ - private async _getAuthenticatorAssuranceLevel(): Promise { + private async _getAuthenticatorAssuranceLevel( + jwt?: string + ): Promise { + if (jwt) { + const { payload } = decodeJWT(jwt) + + let currentLevel: AuthenticatorAssuranceLevels | null = null + if (payload.aal) { + currentLevel = payload.aal + } + + let nextLevel: AuthenticatorAssuranceLevels | null = currentLevel + + const { + data: { user }, + error: userError, + } = await this.getUser(jwt) + + if (userError) { + return this._returnResult({ data: null, error: userError }) + } + + const verifiedFactors = + user?.factors?.filter((factor: Factor) => factor.status === 'verified') ?? [] + + if (verifiedFactors.length > 0) { + nextLevel = 'aal2' + } + + const currentAuthenticationMethods = payload.amr || [] + + return { data: { currentLevel, nextLevel, currentAuthenticationMethods }, error: null } + } + const { data: { session }, error: sessionError, diff --git a/packages/core/auth-js/src/lib/types.ts b/packages/core/auth-js/src/lib/types.ts index 2840d9e7f..045ecb1b3 100644 --- a/packages/core/auth-js/src/lib/types.ts +++ b/packages/core/auth-js/src/lib/types.ts @@ -1234,8 +1234,11 @@ export interface GoTrueMFAApi { * and rarely uses the network. You can use this to check whether the current * user needs to be shown a screen to verify their MFA factors. * + * @param jwt Takes in an optional access token JWT. If no JWT is provided, the JWT from the current session is used. */ - getAuthenticatorAssuranceLevel(): Promise + getAuthenticatorAssuranceLevel( + jwt?: string + ): Promise // namespace for the webauthn methods webauthn: WebAuthnApi