MFA Failing with Action but not Rule

Hello,

I want to add MFA to my application via Actions. Here is my existing code:

exports.onExecutePostLogin = async (event, api) => {

  /* add code to check user_metadata for mfa_enabled. if not there, then 
  look at organizations. when that happens, update user_metadata at the end
  */

  // initialize ManagementClient to access Auth0 Management API
  const { DOMAIN, CLIENT_ID, CLIENT_SECRET } = event.secrets;
  const ManagementClient = require('auth0').ManagementClient;
  const management = new ManagementClient({
      domain: DOMAIN,
      clientId: CLIENT_ID,
      clientSecret: CLIENT_SECRET,
  });

  const orgs = await management.users.getUserOrganizations({ id: event.user.user_id }).catch((err) => {
    console.log(err);
  })
  

  for (const org of orgs) {
    if (org.metadata && org.metadata.mfa_enabled === 'true') {
      api.multifactor.enable("any");
      break;
    }
  }
 
};

The MFA prompt is triggered, but the user is not logged in when being redirected back to the application page.
A log event of type “Failed Silent Auth” with description “Multifactor authentication required” always appears.

Update:

Interestingly, we are able to get MFA working with Rules with the following code:

function requireMfaEnrollment(user, context, callback) {
  
  
  // in case of samlp , auth0 is  just a service provider (not identity). So skip
  if(context.protocol === 'samlp') {
     console.log('SKIP MFA');
      context.multifactor = {
        provider: 'none'
      }; 
    callback(null, user, context);
    return ;
  }
			
  console.log(user);
  
  if(user.user_metadata && user.user_metadata.mfa_enabled &&  user.user_metadata.mfa_enabled === 'true' || (context.organization && context.organization.metadata.mfa_enabled && context.organization.metadata.mfa_enabled === 'true')) {
      console.log("mfa enabled for user");
      const completedMfa = !!context.authentication.methods.find(
      (method) => method.name === 'mfa'
    );
   
    if (completedMfa) {
      console.log("user completed mfa");
      return callback(null, user, context);
    }
   
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
    callback(null, user, context);

  }

  callback(null, user, context);
}

However, we would still like to implement with Actions instead of Rules.

Even a simple action that triggers MFA and does nothing else (as shown below) fails:

exports.onExecutePostLogin = async (event, api) => {
  api.multifactor.enable("any");
  return;
}

I would appreciate help with this. Thank you in advance!

The key difference lies in the line above. In the Action, we were not checking this value, while in the Rule, we were.