feat: add claim to JWT to indicate if there are verified MFA factors for user

[tomekit]

Hi Supabase team,

This is to satisfy setup in which supabase/auth genereated JWT can be passed to external API which validates JWT validity on its own. With this change the external API can determine whether to enforce aal2 level or not, based on has_factor boolean which determines if user has at least one verified factor.

Commit description:

Add field which can be used to determine if 2FA is enabled.
That way the JWT consumer (e.g. if JWT is passed to some other API which verifies its authenticity) can only enforce 2FA AAL levels once 2FA is enabled. This allows to enforce 2FA only when at least one factor is used making 2FA roll-out optional.

Please let me know if you would be happy to merge that into your codebase.

[coveralls]

Pull Request Test Coverage Report for Build 11589790641

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 5 of 9 (55.56%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.02%) to 57.178%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/api/token.go	5	9	55.56%

Totals
Change from base Build 11555996021:	0.02%
Covered Lines:	9571
Relevant Lines:	16739

---

💛 - Coveralls

[J0]

Thanks for the contribution! There's a user.HasMFAEnabled() function I believe. Can consider using that . Otherwise no objections to this change - I think there might be some internal configuration we use to track claim additions, we will need to update that before merging this.

[hf]

@tomekit For now I think it's best not to extend the default JWT. We've been talking internally about a different direction for this but have not fully decided yet.

Basically have a next_aal claim that would say aal2 if the user can go through MFA.

In the mean time, it might be more useful to add this as an example in the Custom Access Token docs.

[hf]

Actually if you'd like to update your PR to include next_aal (only include it if there is a next AAL level) I think that'd work best for us.