From 151d847cd57c6e35b7e1ed6d494fa18898ccad8c Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Fri, 31 Oct 2025 15:54:15 +0000
Subject: [PATCH] Fix OAuth/Magic Link MFA enforcement

---
 src/pages/AuthCallback.tsx | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/pages/AuthCallback.tsx b/src/pages/AuthCallback.tsx
index 9e82d090..ec8b3dce 100644
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -114,14 +114,19 @@ export default function AuthCallback() {
         const result = await handlePostAuthFlow(session, authMethod);
         
         if (result.success && result.data?.shouldRedirect) {
-          // Get factor ID and show modal instead of redirecting
+          // CRITICAL SECURITY FIX: Get factor BEFORE destroying session
           const { data: factors } = await supabase.auth.mfa.listFactors();
           const totpFactor = factors?.totp?.find(f => f.status === 'verified');
           
           if (totpFactor) {
+            // IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow)
+            console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge');
+            await supabase.auth.signOut();
+            
+            // At this point, user has NO authenticated session
             setMfaFactorId(totpFactor.id);
             setStatus('mfa_required');
-            return;
+            return; // User has NO session - MFA modal will show
           }
         }