Skip to content

Commit d557df5

Browse files
fix(mfa): Make MfaRequiredError extend AccessTokenError and privatize encrypt_mfa_token
MfaRequiredError now extends AccessTokenError so existing except AccessTokenError handlers in get_access_token() callers continue to work. Callers needing MFA-specific handling can catch MfaRequiredError before AccessTokenError. Renamed encrypt_mfa_token to _encrypt_mfa_token since it is only called internally by ServerClient.get_access_token().
1 parent 67694bc commit d557df5

4 files changed

Lines changed: 8 additions & 10 deletions

File tree

src/auth0_server_python/auth_server/mfa_client.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ async def _resolve_base_url(
105105
# MFA TOKEN ENCRYPTION / DECRYPTION
106106
# ============================================================================
107107

108-
def encrypt_mfa_token(
108+
def _encrypt_mfa_token(
109109
self,
110110
raw_mfa_token: str,
111111
audience: str,

src/auth0_server_python/auth_server/server_client.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1020,7 +1020,7 @@ async def get_access_token(
10201020
mfa_requirements = getattr(e, "mfa_requirements", None)
10211021

10221022
if raw_mfa_token:
1023-
encrypted_token = self._mfa_client.encrypt_mfa_token(
1023+
encrypted_token = self._mfa_client._encrypt_mfa_token(
10241024
raw_mfa_token=raw_mfa_token,
10251025
audience=audience or self.DEFAULT_AUDIENCE_STATE_KEY,
10261026
scope=merged_scope or "",

src/auth0_server_python/error/__init__.py

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -275,7 +275,7 @@ def __init__(self, message: str, cause: Optional[dict] = None):
275275
super().__init__("mfa_verify_error", message, cause)
276276

277277

278-
class MfaRequiredError(Auth0Error):
278+
class MfaRequiredError(AccessTokenError):
279279
"""
280280
Error thrown when MFA step-up is required during token refresh.
281281
@@ -291,11 +291,9 @@ def __init__(
291291
mfa_requirements=None,
292292
cause: Optional[Exception] = None
293293
):
294-
super().__init__(message)
295-
self.code = "mfa_required"
294+
super().__init__("mfa_required", message, cause)
296295
self.mfa_token = mfa_token
297296
self.mfa_requirements = mfa_requirements
298-
self.cause = cause
299297

300298

301299
class MfaTokenExpiredError(Auth0Error):

src/auth0_server_python/tests/test_mfa_client.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -156,7 +156,7 @@ def test_encrypt_decrypt_roundtrip(self):
156156
enroll=[{"type": "otp"}],
157157
challenge=[{"type": "oob"}]
158158
)
159-
encrypted = client.encrypt_mfa_token(
159+
encrypted = client._encrypt_mfa_token(
160160
raw_mfa_token="raw_token_123",
161161
audience="https://api.example.com",
162162
scope="openid profile",
@@ -175,7 +175,7 @@ def test_decrypt_expired_token_raises(self, mocker):
175175
client = _make_client()
176176
mocker.patch("auth0_server_python.auth_server.mfa_client.time.time",
177177
return_value=1000)
178-
encrypted = client.encrypt_mfa_token(
178+
encrypted = client._encrypt_mfa_token(
179179
raw_mfa_token="raw",
180180
audience="aud",
181181
scope="scope"
@@ -194,7 +194,7 @@ def test_decrypt_invalid_token_raises(self):
194194

195195
def test_decrypt_tampered_token_raises(self):
196196
client = _make_client()
197-
encrypted = client.encrypt_mfa_token(
197+
encrypted = client._encrypt_mfa_token(
198198
raw_mfa_token="raw", audience="aud", scope="scope"
199199
)
200200
tampered = encrypted[:-5] + "XXXXX"
@@ -203,7 +203,7 @@ def test_decrypt_tampered_token_raises(self):
203203

204204
def test_encrypt_without_mfa_requirements(self):
205205
client = _make_client()
206-
encrypted = client.encrypt_mfa_token(
206+
encrypted = client._encrypt_mfa_token(
207207
raw_mfa_token="raw", audience="aud", scope="scope"
208208
)
209209
context = client.decrypt_mfa_token(encrypted)

0 commit comments

Comments
 (0)