Add information to JWT about enabled MFA's, allowing to enforce aal2 only if 2FA is enabled on user's account

internal/api/token.go

@@ -309,6 +309,15 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 	issuedAt := time.Now().UTC()
 	expiresAt := issuedAt.Add(time.Second * time.Duration(config.JWT.Exp)).Unix()
 
+	atLeastOneVerifiedFactor := false
+	for i := 0; i < len(user.Factors); i++ {
+		factor := user.Factors[i]
+		if factor.IsVerified() {
+			atLeastOneVerifiedFactor = true
+			break
+		}
+	}
+
 	claims := &hooks.AccessTokenClaims{
 		StandardClaims: jwt.StandardClaims{
 			Subject:   user.ID.String(),
@@ -324,6 +333,7 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 		Role:                          user.Role,
 		SessionId:                     sid,
 		AuthenticatorAssuranceLevel:   aal.String(),
+		AtLeastOneVerifiedFactor:      atLeastOneVerifiedFactor,
 		AuthenticationMethodReference: amr,
 		IsAnonymous:                   user.IsAnonymous,
 	}

internal/hooks/auth_hooks.go

@@ -104,6 +104,7 @@ type AccessTokenClaims struct {
 	AppMetaData                   map[string]interface{} `json:"app_metadata"`
 	UserMetaData                  map[string]interface{} `json:"user_metadata"`
 	Role                          string                 `json:"role"`
+	AtLeastOneVerifiedFactor      bool                   `json:"has_factor,omitempty"`
 	AuthenticatorAssuranceLevel   string                 `json:"aal,omitempty"`
 	AuthenticationMethodReference []models.AMREntry      `json:"amr,omitempty"`
 	SessionId                     string                 `json:"session_id,omitempty"`