pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-22 21:31:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix MFA bypass vulnerability

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-31 14:52:15 +00:00
parent dade374c2a
commit 4bbb2de0b5
1 changed files with 32 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/pages/Auth.tsx
View File

@@ -149,33 +149,48 @@ export default function Auth() {
const postAuthResult = await handlePostAuthFlow(data.session, 'password'); const postAuthResult = await handlePostAuthFlow(data.session, 'password');
if (postAuthResult.success && postAuthResult.data.shouldRedirect) { if (postAuthResult.success && postAuthResult.data.shouldRedirect) {
// Get the TOTP factor ID // MFA IS REQUIRED - we must show the challenge or sign out
const { data: factors } = await supabase.auth.mfa.listFactors(); const { data: factors } = await supabase.auth.mfa.listFactors();
const totpFactor = factors?.totp?.find(f => f.status === 'verified'); const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) { if (totpFactor) {
// Show MFA challenge
setMfaFactorId(totpFactor.id); setMfaFactorId(totpFactor.id);
setLoading(false); setLoading(false);
return; // Stay on page, show MFA modal return; // Stay on page, show MFA modal
} else {
// MFA is required but no factor found - FORCE SIGN OUT for security
console.error('[Auth] SECURITY: MFA required but no verified factor found');
await supabase.auth.signOut();
toast({
variant: "destructive",
title: "Authentication Error",
description: "Multi-factor authentication is required but not properly configured. Please contact support."
});
setLoading(false);
return;
} }
} }
// Verify session was stored // ONLY show success toast if MFA was NOT required
setTimeout(async () => { if (postAuthResult.success && !postAuthResult.data.shouldRedirect) {
const { data: { session } } = await supabase.auth.getSession(); // Verify session was stored
if (!session) { setTimeout(async () => {
toast({ const { data: { session } } = await supabase.auth.getSession();
variant: "destructive", if (!session) {
title: "Session Error", toast({
description: "Login succeeded but session was not stored. Please check your browser settings and enable cookies/storage." variant: "destructive",
}); title: "Session Error",
} else { description: "Login succeeded but session was not stored. Please check your browser settings and enable cookies/storage."
toast({ });
title: "Welcome back!", } else {
description: "You've been signed in successfully." toast({
}); title: "Welcome back!",
} description: "You've been signed in successfully."
}, 500); });
}
}, 500);
}
} catch (error) { } catch (error) {
// Reset CAPTCHA widget to force fresh token generation // Reset CAPTCHA widget to force fresh token generation