make CountActiveMultiFactorCredentials retro-compatible with v0 code …

…credentials

selfservice/strategy/code/strategy.go

@@ -149,8 +149,17 @@ func (s *Strategy) CountActiveMultiFactorCredentials(ctx context.Context, cc map
 		return 0, nil
 	}
 
-	// If config is empty, return 0
-	if len(creds.Config) == 0 {
+	// Check if the credentials config is valid JSON
+	if !gjson.Valid(string(creds.Config)) {
+		return 0, nil
+	}
+
+	// Check for v0 format with address_type field
+	if gjson.GetBytes(creds.Config, "address_type").Exists() {
+		addressType := gjson.GetBytes(creds.Config, "address_type").String()
+		if addressType != "" {
+			return 1, nil
+		}
 		return 0, nil
 	}
 

selfservice/strategy/code/strategy_test.go

@@ -183,6 +183,15 @@ func TestCountActiveCredentials(t *testing.T) {
 				enabled:    true,
 				expected:   0,
 			},
+			{
+				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
+					Type:   strategy.ID(),
+					Config: []byte(`{"address_type":"email","used_at":{"Time":"0001-01-01T00:00:00Z","Valid":false}}`),
+				}},
+				mfaEnabled: true,
+				enabled:    true,
+				expected:   1,
+			},
 			{
 				in: map[identity.CredentialsType]identity.Credentials{strategy.ID(): {
 					Type:   strategy.ID(),

session/manager_http_test.go

@@ -690,7 +690,7 @@ func TestDoesSessionSatisfy(t *testing.T) {
 		{
 			desc:    "with highest_available a recovery link user requires aal2 if they have 2fa code configured",
 			matcher: config.HighestAvailableAAL,
-			creds:   []identity.Credentials{},
+			creds:   []identity.Credentials{code},
 			withAMR: session.AuthenticationMethods{amrs[identity.CredentialsTypeRecoveryLink]},
 			withContext: func(t *testing.T, ctx context.Context) context.Context {
 				return confighelpers.WithConfigValues(ctx, map[string]any{