fix(api): preserve OTP enforcement during force_otp migration by markwylde · Pull Request #120 · puzed/darkauth

markwylde · 2026-03-10T18:27:51Z

The migration 0015_org_force_otp.sql added organizations.force_otp defaulting to false and removed the legacy otp_required role without migrating existing enforcement, which would silently disable OTP for orgs after upgrade.
This change restores the original MFA enforcement semantics so organizations that previously required OTP continue to do so after the migration.

Updated packages/api/drizzle/0015_org_force_otp.sql to backfill organizations.force_otp = true for any organization that had a member assigned the legacy otp_required role.
Left the existing cleanup steps that delete organization_member_roles, role_permissions, and the roles entry for otp_required unchanged.
The change is a minimal migration-only fix intended to preserve behavior without altering runtime OTP logic.

Ran npm run tidy which completed successfully (repo-wide Biome warnings/info remain but no errors).
Ran npm run build which completed successfully for the workspaces though the brochureware prebuild logged a missing system library for Puppeteer PDF generation but did not fail the overall build.
Attempted npm --workspace @DarkAuth/api test -- src/controllers/user/opaqueLoginFinish.test.ts, but tests could not be executed in this environment because Node v20 cannot run .ts test files directly and reported ERR_UNKNOWN_FILE_EXTENSION.

fix(api): preserve otp enforcement during force_otp migration

5805ba0

markwylde added codex aardvark labels Mar 10, 2026 — with ChatGPT Codex Connector

markwylde merged commit ec07423 into main Mar 10, 2026
17 checks passed

markwylde deleted the codex/fix-otp-enforcement-migration-issue branch March 10, 2026 18:35

Provide feedback