feat: Improve MFA check reliability

2025-12-22 00:11:13 -05:00 · 2025-10-17 19:06:35 +00:00
parent 47c1a39442
commit 152a90ae9d
3 changed files with 51 additions and 2 deletions
--- a/src/hooks/moderation/useModerationQueueManager.ts
+++ b/src/hooks/moderation/useModerationQueueManager.ts
@@ -93,6 +93,17 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
  const queryClient = useQueryClient();
  const { aal } = useAuth();

+  // Debug AAL status
+  useEffect(() => {
+    logger.log('🔐 [QUEUE MANAGER] AAL Status:', { 
+      aal, 
+      isNull: aal === null,
+      isAal1: aal === 'aal1',
+      isAal2: aal === 'aal2',
+      timestamp: new Date().toISOString()
+    });
+  }, [aal]);
+
  // Initialize sub-hooks
  const filters = useModerationFilters({
    initialEntityFilter: "all",
@@ -273,7 +284,30 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
      setActionLoading(item.id);

      // Check MFA (AAL2) requirement before moderation action
+      if (aal === null) {
+        logger.log('⏳ [QUEUE MANAGER] AAL is null, waiting for authentication status...');
+        toast({
+          title: "Loading Authentication Status",
+          description: "Please wait while we verify your authentication level...",
+        });
+        setActionLoading(null);
+        
+        // Retry after 1 second
+        setTimeout(() => {
+          logger.log('🔄 [QUEUE MANAGER] Retrying action after AAL load');
+          performAction(item, action, moderatorNotes);
+        }, 1000);
+        
+        return;
+      }
+
      if (aal !== 'aal2') {
+        logger.warn('🚫 [QUEUE MANAGER] MFA check failed', { 
+          aal, 
+          expected: 'aal2',
+          userId: user?.id 
+        });
+        
        toast({
          title: "MFA Verification Required",
          description: "You must complete multi-factor authentication to perform moderation actions.",
@@ -283,6 +317,8 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
        return;
      }

+      logger.log('✅ [QUEUE MANAGER] MFA check passed', { aal });
+
      // Calculate stat delta for optimistic update
      const statDelta: Partial<ModerationStats> = {};
      
--- a/src/hooks/useAuth.tsx
+++ b/src/hooks/useAuth.tsx
@@ -110,6 +110,7 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
          const currentAal = await getSessionAal(session);
          setAal(currentAal);
          authLog('[Auth] Current AAL:', currentAal);
+          console.log('🔐 [Auth] AAL SET:', currentAal); // Explicit console log for debugging
        } else {
          setAal(null);
        }
--- a/src/lib/authService.ts
+++ b/src/lib/authService.ts
@@ -19,17 +19,29 @@ import { setStepUpRequired, setAuthMethod, clearAllAuthFlags } from './sessionFl
 * Always returns ground truth from server, not cached session data
 */
 export async function getSessionAal(session: Session | null): Promise<AALLevel> {
-  if (!session) return 'aal1';
+  if (!session) {
+    console.log('🔍 [AuthService] No session, returning aal1');
+    return 'aal1';
+  }
  
  try {
    const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
    
+    console.log('🔍 [AuthService] getSessionAal result:', { 
+      hasData: !!data, 
+      currentLevel: data?.currentLevel,
+      nextLevel: data?.nextLevel,
+      error: error?.message 
+    });
+    
    if (error) {
      console.error('[AuthService] Error getting AAL:', error);
      return 'aal1';
    }
    
-    return (data.currentLevel as AALLevel) || 'aal1';
+    const level = (data.currentLevel as AALLevel) || 'aal1';
+    console.log('🔐 [AuthService] Returning AAL:', level);
+    return level;
  } catch (error) {
    console.error('[AuthService] Exception getting AAL:', error);
    return 'aal1';