pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-23 13:31:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix OAuth/Magic Link MFA enforcement

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-31 15:54:15 +00:00
parent 6ff832b3de
commit 151d847cd5
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/pages/AuthCallback.tsx
View File

@@ -114,14 +114,19 @@ export default function AuthCallback() {
const result = await handlePostAuthFlow(session, authMethod); const result = await handlePostAuthFlow(session, authMethod);
if (result.success && result.data?.shouldRedirect) { if (result.success && result.data?.shouldRedirect) {
// Get factor ID and show modal instead of redirecting // CRITICAL SECURITY FIX: Get factor BEFORE destroying session
const { data: factors } = await supabase.auth.mfa.listFactors(); const { data: factors } = await supabase.auth.mfa.listFactors();
const totpFactor = factors?.totp?.find(f => f.status === 'verified'); const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) { if (totpFactor) {
// IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow)
console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge');
await supabase.auth.signOut();
// At this point, user has NO authenticated session
setMfaFactorId(totpFactor.id); setMfaFactorId(totpFactor.id);
setStatus('mfa_required'); setStatus('mfa_required');
return; return; // User has NO session - MFA modal will show
} }
} }