fix: address PR review findings for MFA challenge UI

devondragon · devondragon · commit fce7a8a2e2f9 · 2026-03-02T11:43:25.000-07:00
- Check for 404 specifically in updateMfaStatusUI() instead of hiding
  on any non-OK response; log a warning for other error statuses
- Update JSDoc to document both 404 and non-OK handling behaviors
- Make MFA status test assertion deterministic (expect 404 when MFA
  is disabled in playwright-test profile, not [200, 404])
diff --git a/playwright/tests/mfa/mfa-challenge.spec.ts b/playwright/tests/mfa/mfa-challenge.spec.ts
@@ -57,15 +57,9 @@ test.describe('MFA', () => {
       // Call the MFA status endpoint
       const response = await page.request.get('/user/mfa/status');
 
-      // With MFA disabled in playwright-test profile, expect 404
-      // With MFA enabled, expect 200 with proper response shape
-      expect([200, 404]).toContain(response.status());
-
-      if (response.status() === 200) {
-        const body = await response.json();
-        expect(typeof body.mfaEnabled).toBe('boolean');
-        expect(typeof body.fullyAuthenticated).toBe('boolean');
-      }
+      // MFA is disabled in playwright-test profile, so endpoint returns 404.
+      // A separate MFA-enabled test profile would be needed to test the 200 case.
+      expect(response.status()).toBe(404);
     });
 
     test('should require authentication for MFA status endpoint', async ({ page }) => {
diff --git a/src/main/resources/static/js/user/webauthn-manage.js b/src/main/resources/static/js/user/webauthn-manage.js
@@ -262,7 +262,8 @@ async function handleRegisterPasskey() {
 
 /**
  * Update the MFA Status section in the auth-methods card.
- * Silently hides the container if the MFA status endpoint returns 404 (MFA disabled).
+ * Hides the container if the MFA status endpoint returns 404 (MFA disabled).
+ * Logs a warning for other non-OK responses.
  */
 async function updateMfaStatusUI() {
     const container = document.getElementById('mfaStatusContainer');
@@ -274,7 +275,13 @@ async function updateMfaStatusUI() {
             headers: { [csrfHeader]: csrfToken }
         });
 
+        if (response.status === 404) {
+            // MFA feature disabled — silently hide
+            container.classList.add('d-none');
+            return;
+        }
         if (!response.ok) {
+            console.warn('MFA status endpoint returned', response.status);
             container.classList.add('d-none');
             return;
         }
