fix: update MFA step-up max age configuration

tacxou · tacxou · commit 2dd005f6f0a3 · 2026-05-07T11:24:33.000+02:00
- Increased the default maximum age for MFA step-up from 5 minutes to 15 minutes for improved user experience.
- Adjusted the MfaGuard to retrieve the updated configuration value, ensuring consistent enforcement of the new max age setting.
diff --git a/apps/api/src/_common/guards/mfa.guard.ts b/apps/api/src/_common/guards/mfa.guard.ts
@@ -20,7 +20,7 @@ export class MfaGuard implements CanActivate {
     const request = context.switchToHttp().getRequest<{ user?: { mfaVerified?: boolean; mfaVerifiedAt?: number | null } }>();
     if (!request?.user?.mfaVerified) throw new ForbiddenException('MFA required');
 
-    const maxAgeSeconds = this.config.get<number>('application.mfaStepUpMaxAgeSeconds', 5 * 60);
+    const maxAgeSeconds = this.config.get<number>('application.mfaStepUpMaxAgeSeconds');
     const maxAgeMs = Math.max(0, maxAgeSeconds) * 1000;
     if (maxAgeMs <= 0) return true;
 
diff --git a/apps/api/src/config.ts b/apps/api/src/config.ts
@@ -320,7 +320,7 @@ export default (): ConfigInstance => ({
       key: process.env['SESAME_HTTPS_PATH_KEY'] || '',
       cert: process.env['SESAME_HTTPS_PATH_CERT'] || '',
     },
-    mfaStepUpMaxAgeSeconds: parseInt(process.env['SESAME_MFA_STEPUP_MAX_AGE_SECONDS'] || `${5 * 60}`, 10),
+    mfaStepUpMaxAgeSeconds: parseInt(process.env['SESAME_MFA_STEPUP_MAX_AGE_SECONDS'] || `${15 * 60}`, 10),
   },
   helmet: {
     contentSecurityPolicy: {
