I'm evaluating FusionAuth and we need to use a MFA method that is currently not implemented. From your documentation, I know I could use the MFA step up API to implement any custom MFA method and I like how flexible this would be but I'm not sure how our application is supposed to check if a user went through a successful step up.
After a user login I call /api/two-factor/start with a code I generated and then after validating my custom MFA method, I send twoFactorId in a call to /api/two-factor/login. Both calls return 200 with data about the user and tokens. But I don't see any field in the user or claim in the JWT indicating this user went through a successful step up.
Am I misunderstanding how this should work? What my application should do to only authorize "stepped up" users to use an endpoint?
I'm using Community Edition v 1.30.2.