fix: validate MFA claim before allowing TOTP device removal

CHANGELOG.md

@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.29.1] - 2025-04-11
+- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.
+
 ## [0.29.0] - 2025-03-03
 ### Breaking changes
 - Makes URL path normalization case sensitive

setup.py

@@ -82,7 +82,7 @@
 
 setup(
     name="supertokens_python",
-    version="0.29.0",
+    version="0.29.1",
     author="SuperTokens",
     license="Apache 2.0",
     author_email="[email protected]",

supertokens_python/constants.py

@@ -15,7 +15,7 @@
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = ["5.2"]
-VERSION = "0.29.0"
+VERSION = "0.29.1"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
 USER_DELETE = "/user/remove"

supertokens_python/recipe/totp/api/remove_device.py

@@ -35,7 +35,9 @@ async def handle_remove_device_api(
 
     session = await get_session(
         api_options.request,
-        override_global_claim_validators=lambda _, __, ___: [],
+        override_global_claim_validators=lambda global_claim_validators, __, ___: [
+            gcv for gcv in global_claim_validators if gcv.id == "st-mfa"
+        ],
         session_required=True,
         user_context=user_context,
     )

tests/test-server/test_functions_mapper.py

@@ -142,6 +142,10 @@ async def get_mfa_requirements_for_auth(
                 required_secondary_factors_for_tenant: Any,
                 user_context: Dict[str, Any],
             ) -> MFARequirementList:
+                # Test specifies an override, return the required data
+                if 'getMFARequirementsForAuth:async()=>["totp"]' in eval_str:
+                    return ["totp"]
+
                 return ["otp-phone"] if user_context.get("requireFactor") else []
 
             original_implementation.get_mfa_requirements_for_auth = (