fix: check for MFA claim in removeDevice (supertokens#581)

namsnath · web-flow · commit 08a3d29a8f4d · 2025-04-16T14:19:58.000+05:30
- Ensures that verified TOTP devices can only be removed after MFA requirements are completed
- Removes override for global claim validators
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 
 ## [0.29.1] - 2025-04-11
-- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.
+- Fixes an issue where `removeDevice` API allowed removing verified TOTP devices without the user completing MFA.
 - Fixes issue with ThirdParty provider info on dashboard
 
 ## [0.29.0] - 2025-03-03
diff --git a/supertokens_python/recipe/totp/api/implementation.py b/supertokens_python/recipe/totp/api/implementation.py
@@ -17,9 +17,12 @@
 from supertokens_python.recipe.multifactorauth.asyncio import (
     assert_allowed_to_setup_factor_else_throw_invalid_claim_error,
 )
+from supertokens_python.recipe.multifactorauth.multi_factor_auth_claim import (
+    MultiFactorAuthClaim,
+)
 from supertokens_python.recipe.multifactorauth.recipe import MultiFactorAuthRecipe
 from supertokens_python.recipe.session import SessionContainer
-from supertokens_python.recipe.session.exceptions import UnauthorisedError
+from supertokens_python.recipe.session.exceptions import UnauthorisedError  # noqa: E402
 from supertokens_python.types import GeneralErrorResponse
 
 from ..interfaces import APIInterface, APIOptions
@@ -90,6 +93,23 @@ async def remove_device_post(
     ) -> Union[RemoveDeviceOkResult, GeneralErrorResponse]:
         user_id = session.get_user_id()
 
+        device_list = await options.recipe_implementation.list_devices(
+            user_id=user_id, user_context=user_context
+        )
+
+        # MFA should be completed when trying to remove a verified TOTP device
+        if any(
+            [
+                device.name == device_name and device.verified
+                for device in device_list.devices
+            ]
+        ):
+            await session.assert_claims(
+                [
+                    MultiFactorAuthClaim.validators.has_completed_mfa_requirements_for_auth()
+                ]
+            )
+
         return await options.recipe_implementation.remove_device(
             user_id=user_id,
             device_name=device_name,
diff --git a/supertokens_python/recipe/totp/api/remove_device.py b/supertokens_python/recipe/totp/api/remove_device.py
@@ -35,9 +35,7 @@ async def handle_remove_device_api(
 
     session = await get_session(
         api_options.request,
-        override_global_claim_validators=lambda global_claim_validators, __, ___: [
-            gcv for gcv in global_claim_validators if gcv.id == "st-mfa"
-        ],
+        override_global_claim_validators=lambda _, __, ___: [],
         session_required=True,
         user_context=user_context,
     )
