Context
PR #60 works around a framework bug — SpringUserFramework#313 — where a second-factor login replaces the session authentication instead of merging factor authorities, so the MFA flow could never complete. The demo compensates with MfaSecurityConfig, which applies @EnableMultiFactorAuthentication(authorities = {}) to enable Spring Security 7's filter-level factor merging.
Once the framework ships the fix, this workaround becomes redundant boilerplate. Since this is a reference app, leaving it in would teach consumers they need wiring they no longer need.
Blocked on: devondragon/SpringUserFramework#313
Tasks (after upgrading to the framework release containing the fix)
Conditional (only if the "related observation" in #313 is also fixed)
If the framework starts auto-adding the configured MFA entry-point URIs (passwordEntryPointUri / webauthnEntryPointUri) to the unprotected URIs list:
If only the factor merging is fixed upstream, leave the unprotectedURIs entries and the consistency test as they are — the redirect-loop guard is still needed.
Context
PR #60 works around a framework bug — SpringUserFramework#313 — where a second-factor login replaces the session authentication instead of merging factor authorities, so the MFA flow could never complete. The demo compensates with
MfaSecurityConfig, which applies@EnableMultiFactorAuthentication(authorities = {})to enable Spring Security 7's filter-level factor merging.Once the framework ships the fix, this workaround becomes redundant boilerplate. Since this is a reference app, leaving it in would teach consumers they need wiring they no longer need.
Blocked on: devondragon/SpringUserFramework#313
Tasks (after upgrading to the framework release containing the fix)
ds-spring-user-frameworkinbuild.gradle(currently4.3.1) to the release containing the #313 fixsrc/main/java/com/digitalsanctuary/spring/demo/config/MfaSecurityConfig.java./gradlew test(includesMfaChallengeFlowIntegrationTest)APP_PROFILES=local,playwright-test,mfa npx playwright test --project=chromium-mfa— this E2E exercises the exact factor-merging behavior (enroll passkey → password login → challenge page → verify → both factors satisfied), so green means the framework fix fully covers itConditional (only if the "related observation" in #313 is also fixed)
If the framework starts auto-adding the configured MFA entry-point URIs (
passwordEntryPointUri/webauthnEntryPointUri) to the unprotected URIs list:/user/mfa/webauthn-challenge.htmlentries fromuser.security.unprotectedURIsinapplication.yml,application-mfa.yml, andapplication-test.propertiesMfaConfigConsistencyTest, which currently enforces that manual sync (it would otherwise fail the build when the entries are removed)If only the factor merging is fixed upstream, leave the unprotectedURIs entries and the consistency test as they are — the redirect-loop guard is still needed.