Skip to content

Enable MFA for local users toggle#615

Open
jnfrati wants to merge 2 commits intomainfrom
feat/local-user-totp
Open

Enable MFA for local users toggle#615
jnfrati wants to merge 2 commits intomainfrom
feat/local-user-totp

Conversation

@jnfrati
Copy link
Copy Markdown

@jnfrati jnfrati commented Apr 16, 2026
edited by coderabbitai Bot
Loading

Matching PR for feature netbirdio/netbird#5804

Allows admins to enable/disable MFA for local users

image

Documentation

Select exactly one:

  • I added/updated documentation for this change
  • Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

netbirdio/docs#704

Summary by CodeRabbit

  • New Features
    • Added a Local Multi-Factor Authentication (MFA) toggle in Authentication settings to enable/disable MFA for an account.
    • Toggle is shown only when local auth is allowed and embedded identity provider is enabled, and it respects user update permissions.
    • Changes to the toggle are detected by the Save workflow and persisted with account settings.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 16, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 16, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0b00328f-a7c2-4556-8d50-f8ef257ef252

📥 Commits

Reviewing files that changed from the base of the PR and between 72c0d8f and 39bba92.

📒 Files selected for processing (1)
  • src/modules/settings/AuthenticationTab.tsx
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/modules/settings/AuthenticationTab.tsx
📝 Walkthrough

Walkthrough

Added an optional settings.local_mfa_enabled field to the Account interface and implemented a conditional local-MFA toggle in the Authentication settings tab with state management and persistence.

Changes

Cohort / File(s) Summary
Account Interface
src/interfaces/Account.ts		 Added optional local_mfa_enabled?: boolean to Account.settings.
Authentication Settings UI
src/modules/settings/AuthenticationTab.tsx		 Added isLocalMFAEnabled React state initialized from account.settings.local_mfa_enabled, included it in change detection, rendered a conditional “Enable Local MFA” FancyToggleSwitch when !account.settings.local_auth_disabled && account.settings.embedded_idp_enabled, and persisted local_mfa_enabled in the save payload.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • heisbrot
  • pascal-fischer

Poem

🐰 I toggled a switch, a tiny bright light,
I hopped through settings and turned on the night.
Local MFA hums, a secure little song,
Save and it lingers, safe all day long. 🥕🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Enable MFA for local users toggle' accurately and concisely describes the main change—adding a dashboard toggle for MFA control for local users.
Description check ✅ Passed The PR description follows the template with issue reference, documentation checkbox selected, and docs PR link provided.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/local-user-totp

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/modules/settings/AuthenticationTab.tsx (1)

148-157: ⚠️ Potential issue | 🟡 Minor

Include Local MFA state in post-save updateRef baseline.

isLocalMFAEnabled is tracked in hasChanges (Line 118) but not reset in updateRef after save, so the form can stay dirty after a successful save.

💡 Suggested fix 
           updateRef([
             peerApproval,
             userApprovalRequired,
             loginExpiration,
             expiresIn,
             expireInterval,
             peerInactivityExpirationEnabled,
             peerInactivityExpiresIn,
             peerInactivityExpireInterval,
+            isLocalMFAEnabled,
           ]);
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/modules/settings/AuthenticationTab.tsx` around lines 148 - 157, The
post-save baseline update (the call to updateRef in AuthenticationTab) omits the
isLocalMFAEnabled flag, so hasChanges remains true after saving; update the
array passed to updateRef (the one containing peerApproval,
userApprovalRequired, loginExpiration, expiresIn, expireInterval,
peerInactivityExpirationEnabled, peerInactivityExpiresIn,
peerInactivityExpireInterval) to also include isLocalMFAEnabled so that the
local MFA state is reset and the form is no longer dirty after a successful
save.
🧹 Nitpick comments (1)
src/modules/settings/AuthenticationTab.tsx (1)

70-70: Update stale implementation comment.

Line 70 says this is "UI only, not wired to the backend yet", but Line 143 already persists local_mfa_enabled in the save payload.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/modules/settings/AuthenticationTab.tsx` at line 70, The comment "// Local
MFA (UI only, not wired to the backend yet)" in AuthenticationTab is
stale—update it to reflect that local MFA is persisted (local_mfa_enabled is
included in the save payload). Find the AuthenticationTab component and replace
or reword that comment to indicate the local MFA setting is persisted to the
backend (referencing local_mfa_enabled and the save/update logic that sends the
payload), or remove the misleading comment entirely so it no longer claims the
feature is UI-only.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/modules/settings/AuthenticationTab.tsx`:
- Around line 228-252: The visibility condition is inverted: change the ternary
so the Local MFA FancyToggleSwitch is shown only when local auth is enabled and
embedded IDP is enabled; replace the current condition
(account.settings.local_auth_disabled || !account.settings.embedded_idp_enabled)
with (!account.settings.local_auth_disabled &&
account.settings.embedded_idp_enabled) so the FancyToggleSwitch
(isLocalMFAEnabled, setIsLocalMFAEnabled, permission.settings.update) matches
the gating pattern used in UsersTable.tsx.

---

Outside diff comments:
In `@src/modules/settings/AuthenticationTab.tsx`:
- Around line 148-157: The post-save baseline update (the call to updateRef in
AuthenticationTab) omits the isLocalMFAEnabled flag, so hasChanges remains true
after saving; update the array passed to updateRef (the one containing
peerApproval, userApprovalRequired, loginExpiration, expiresIn, expireInterval,
peerInactivityExpirationEnabled, peerInactivityExpiresIn,
peerInactivityExpireInterval) to also include isLocalMFAEnabled so that the
local MFA state is reset and the form is no longer dirty after a successful
save.

---

Nitpick comments:
In `@src/modules/settings/AuthenticationTab.tsx`:
- Line 70: The comment "// Local MFA (UI only, not wired to the backend yet)" in
AuthenticationTab is stale—update it to reflect that local MFA is persisted
(local_mfa_enabled is included in the save payload). Find the AuthenticationTab
component and replace or reword that comment to indicate the local MFA setting
is persisted to the backend (referencing local_mfa_enabled and the save/update
logic that sends the payload), or remove the misleading comment entirely so it
no longer claims the feature is UI-only.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 786492e7-d865-4283-8542-f62e3c72f085

📥 Commits

Reviewing files that changed from the base of the PR and between b53802a and 72c0d8f.

📒 Files selected for processing (2)
  • src/interfaces/Account.ts
  • src/modules/settings/AuthenticationTab.tsx

Comment thread src/modules/settings/AuthenticationTab.tsx Outdated
@jnfrati jnfrati mentioned this pull request Apr 16, 2026
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jnfrati @CLAassistant