in src/server/routes/register.ts [494:534]
registrationPlatform: await getRegistrationPlatform(appClientId),
},
req.ip,
);
// We first check if the `enroll-authenticator` remediation is present
// and that the current authenticator is set to "email"
// In this scenario, if both are present, then the "password" authenticator
// in Okta is set to "optional" and the "email" authenticator is set
// to "required" in the Okta settings.
// This means that since "email" is the only authenticator that is set to "required",
// it will automatically select the "email" authenticator and send the user a passcode.
// In which case we can skip the `select-authenticator-enroll` remediation to
// manually select the "email" authenticator.
const hasEnrollAuthenticator = validateEnrollNewRemediation(
enrollNewWithEmailResponse,
'enroll-authenticator',
false,
);
const currentAuthenticatorIsEmail =
enrollNewWithEmailResponse.currentAuthenticator?.value.type === 'email';
// We also need to check for the 'select-authenticator-enroll' remediation next
// If it exists, and hasEnrollAuthenticator and currentAuthenticatorIsEmail don't,
// then that means that both the "password" and "email" authenticator is set to
// "required" in the Okta settings, and we need to manually select the "email"
// authenticator to verify their account before they set a password.
const hasSelectAuthenticator = validateEnrollNewRemediation(
enrollNewWithEmailResponse,
'select-authenticator-enroll',
false,
);
// if we have the `select-authenticator-enroll` remediation property
// and we don't have the `enroll-authenticator` remediation property
// we need to handle this by selecting the authenticator email
// to send the passcode to the user
if (
hasSelectAuthenticator &&
!(hasEnrollAuthenticator && currentAuthenticatorIsEmail)
) {