Refactor: Implement full authentication overhaul

2025-12-24 23:51:13 -05:00 · 2025-10-14 14:01:17 +00:00
parent ccfa83faee
commit 23f7cbb9de
8 changed files with 525 additions and 122 deletions
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -4,6 +4,8 @@ import { supabase } from '@/integrations/supabase/client';
 import { useToast } from '@/hooks/use-toast';
 import { Loader2 } from 'lucide-react';
 import { Header } from '@/components/layout/Header';
+import { handlePostAuthFlow } from '@/lib/authService';
+import type { AuthMethod } from '@/types/auth';

 export default function AuthCallback() {
  const navigate = useNavigate();
@@ -71,31 +73,22 @@ export default function AuthCallback() {
          }
        }

-        // Check if MFA step-up is required for OAuth users
+        // Determine authentication method
+        let authMethod: AuthMethod = 'magiclink';
        if (isOAuthUser) {
-          console.log('[AuthCallback] Checking MFA requirements for OAuth user...');
-          
-          try {
-            const { data: factors } = await supabase.auth.mfa.listFactors();
-            const hasMfaEnrolled = factors?.totp?.some(f => f.status === 'verified');
-            
-            const { data: { currentLevel } } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
-            
-            console.log('[AuthCallback] MFA status:', {
-              hasMfaEnrolled,
-              currentLevel,
-            });
+          authMethod = 'oauth';
+        }
+        
+        console.log('[AuthCallback] Auth method:', authMethod);

-            if (hasMfaEnrolled && currentLevel === 'aal1') {
-              console.log('[AuthCallback] MFA step-up required, redirecting...');
-              sessionStorage.setItem('mfa_step_up_required', 'true');
-              navigate('/auth/mfa-step-up');
-              return;
-            }
-          } catch (error) {
-            console.error('[AuthCallback] Failed to check MFA status:', error);
-            // Continue anyway - don't block sign-in
-          }
+        // Unified post-authentication flow for ALL methods (OAuth, magic link, etc.)
+        console.log('[AuthCallback] Running post-auth flow...');
+        const result = await handlePostAuthFlow(session, authMethod);
+        
+        if (result.success && result.data?.shouldRedirect) {
+          console.log('[AuthCallback] Redirecting to:', result.data.redirectTo);
+          navigate(result.data.redirectTo);
+          return;
        }

        setStatus('success');
--- a/src/pages/MFAStepUp.tsx
+++ b/src/pages/MFAStepUp.tsx
@@ -5,6 +5,8 @@ import { useToast } from '@/hooks/use-toast';
 import { Header } from '@/components/layout/Header';
 import { MFAChallenge } from '@/components/auth/MFAChallenge';
 import { Shield } from 'lucide-react';
+import { getStepUpRequired, getIntendedPath, clearStepUpFlags } from '@/lib/sessionFlags';
+import { getEnrolledFactors } from '@/lib/authService';

 export default function MFAStepUp() {
  const navigate = useNavigate();
@@ -14,30 +16,28 @@ export default function MFAStepUp() {
  useEffect(() => {
    const checkStepUpRequired = async () => {
      // Check if this page was accessed via proper flow
-      const needsStepUp = sessionStorage.getItem('mfa_step_up_required');
-      if (!needsStepUp) {
+      if (!getStepUpRequired()) {
        console.log('[MFAStepUp] No step-up flag found, redirecting to auth');
        navigate('/auth');
        return;
      }

-      // Get the verified TOTP factor
-      const { data: factors } = await supabase.auth.mfa.listFactors();
-      const totpFactor = factors?.totp?.find(f => f.status === 'verified');
+      // Get enrolled MFA factors
+      const factors = await getEnrolledFactors();
      
-      if (!totpFactor) {
+      if (factors.length === 0) {
        console.log('[MFAStepUp] No verified TOTP factor found');
        toast({
          variant: 'destructive',
          title: 'MFA not enrolled',
          description: 'Please enroll in two-factor authentication first.',
        });
-        sessionStorage.removeItem('mfa_step_up_required');
+        clearStepUpFlags();
        navigate('/settings?tab=security');
        return;
      }

-      setFactorId(totpFactor.id);
+      setFactorId(factors[0].id);
    };

    checkStepUpRequired();
@@ -46,33 +46,26 @@ export default function MFAStepUp() {
  const handleSuccess = async () => {
    console.log('[MFAStepUp] MFA verification successful');
    
-    // Clear the step-up flag
-    sessionStorage.removeItem('mfa_step_up_required');
-    
    toast({
      title: 'Verification successful',
      description: 'You now have full access to all features.',
    });

    // Redirect to home or intended destination
-    const intendedPath = sessionStorage.getItem('mfa_intended_path') || '/';
-    sessionStorage.removeItem('mfa_intended_path');
+    const intendedPath = getIntendedPath();
+    clearStepUpFlags();
    navigate(intendedPath);
  };

  const handleCancel = async () => {
    console.log('[MFAStepUp] MFA verification cancelled');
    
-    // Clear flags
-    sessionStorage.removeItem('mfa_step_up_required');
-    sessionStorage.removeItem('mfa_intended_path');
-    
-    // Sign out for security
-    await supabase.auth.signOut();
+    // Clear flags and redirect to sign-in (less harsh than forcing sign-out)
+    clearStepUpFlags();
    
    toast({
      title: 'Verification cancelled',
-      description: 'You have been signed out.',
+      description: 'Please sign in again to continue.',
    });
    
    navigate('/auth');