fix: validate MFA claim before allowing TOTP device removal

namsnath · namsnath · commit 070974e2aac4 · 2025-04-11T12:44:16.000+05:30
- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.
diff --git a/supertokens_python/recipe/totp/api/remove_device.py b/supertokens_python/recipe/totp/api/remove_device.py
@@ -35,7 +35,9 @@ async def handle_remove_device_api(
 
     session = await get_session(
         api_options.request,
-        override_global_claim_validators=lambda _, __, ___: [],
+        override_global_claim_validators=lambda global_claim_validators, __, ___: [
+            gcv for gcv in global_claim_validators if gcv.id == "st-mfa"
+        ],
         session_required=True,
         user_context=user_context,
     )
diff --git a/tests/test-server/test_functions_mapper.py b/tests/test-server/test_functions_mapper.py
@@ -142,6 +142,10 @@ async def get_mfa_requirements_for_auth(
                 required_secondary_factors_for_tenant: Any,
                 user_context: Dict[str, Any],
             ) -> MFARequirementList:
+                # Test specifies an override, return the required data
+                if 'getMFARequirementsForAuth:async()=>["totp"]' in eval_str:
+                    return ["totp"]
+
                 return ["otp-phone"] if user_context.get("requireFactor") else []
 
             original_implementation.get_mfa_requirements_for_auth = (
