Multi-Factor Authentication and RBAC Dashboard Improvements

Highlights

Multi-Factor Authentication

Medusa now supports multi-factor authentication (MFA). The admin dashboard includes a complete MFA UI that allows users to set up and manage their authentication methods. MFA lifecycle events are now emitted for tracking authentication flows.

After updating, make sure to set the AUTH_MFA_ENCRYPTION_KEY environment variable to a random 64-character string:

AUTH_MFA_ENCRYPTION_KEY=your_random_64_character_string

Also, if you've added the Auth Module to your medusa-config.ts file to set any of its options, make sure to set the mfa.encryption_key option to the same environment variable:

import { Modules, ContainerRegistrationKeys } from "@medusajs/framework/utils"

// ...

module.exports = defineConfig({
  // ...
  modules: [
    {
      resolve: "@medusajs/medusa/auth",
      dependencies: [Modules.CACHE, ContainerRegistrationKeys.LOGGER],
      options: {
        mfa: {
          encryption_key: process.env.AUTH_MFA_ENCRYPTION_KEY,
        },
        // other options...
      },
    },
  ],
})

If you don't set the mfa.encryption_key option, you'll get a "MFA encryption key is required to use MFA methods" error whenever trying to enroll or verify an MFA factor.

#15496
#15493
#15495

Features

• feat: add admin MFA UI by @christiananese in #15493
• Emit MFA lifecycle events by @christiananese in #15495
• Emailpass email verification primitives by @christiananese in #15496
• feat(dashboard,framework,rbac,js-sdk,types,utils,medusa): rbac admin dashboard utils by @fPolic in #14593

Bugs

• fix(core-flows): avoid refunding captures made in separate completeCartWorkflow executions by @NicolasGorga in #15527
• fix(utils): add mfa to inline snapshot test assertion by @NicolasGorga in #15518
• fix(core-flows): respect allow_backorder when calculating pickup inventory availability by @marlinjai in #15440
• Allow cancelling pending MFA setup by @christiananese in #15475
• fix(dashboard): order list status badges show correct colors when view_configurations is enabled by @shiminshen in #15430
• fix(core-flows): use hasPermission util to perform checks in validateUserRolePermissionsStep by @NicolasGorga in #15470
• fix(core-flows,medusa): align validate user permissions check with hasPermission util by @NicolasGorga in #15465

Documentation

• docs: update cloudflare config by @shahednasser in #15499
• docs: migrate main docs to cloudflare by @shahednasser in #15498
• docs: add TSDocs for "rbac admin dashboard utils (#14593)" by @shahednasser in #15476
• doc: migrate to cloudflare + medusa cloud by @shahednasser in #15446
• docs: fix with ai in cloud by @shahednasser in #15474

Chores

• chore: add tests for stock location metadata in response by @jasonmerx in #15448
• chore: fix indexing job for algolia by @shahednasser in #15504
• chore: fix release pipeline by @shahednasser in #15500
• chore: fix sync action checkout step by @shahednasser in #15481
• chore: add commit hash option to sync actions by @shahednasser in #15480
• chore: fix sync actions by @shahednasser in #15479
• chore(docs): automated cloud documentation update by @shahednasser in #15473
• chore(docs): fix common issues in the docs-generator by @shahednasser in #15464
• chore(docs): Updated API Reference (automated) by @github-actions in #15461
• chore(docs): Generated References (automated) by @github-actions in #15462
• chore(docs): Generated DML JSON files (automated) by @github-actions in #15458
• chore(docs): Updated UI Reference (automated) by @github-actions in #15460
• chore(docs): Update version in documentation (automated) by @github-actions in #15459
• chore(docs): doc changes for next release (automated) by @shahednasser in #15380
• chore: fix trigger release job conflict by @shahednasser in #15457
• Chore: Release by @github-actions in #15477
• Chore: Release by @github-actions in #15467

Full Changelog: v2.15.3...v2.15.5