Fix MFA bypass vulnerability

src/pages/Auth.tsx

@@ -149,17 +149,31 @@ export default function Auth() {
       const postAuthResult = await handlePostAuthFlow(data.session, 'password');
 
       if (postAuthResult.success && postAuthResult.data.shouldRedirect) {
-        // Get the TOTP factor ID
+        // MFA IS REQUIRED - we must show the challenge or sign out
         const { data: factors } = await supabase.auth.mfa.listFactors();
         const totpFactor = factors?.totp?.find(f => f.status === 'verified');
         
         if (totpFactor) {
+          // Show MFA challenge
           setMfaFactorId(totpFactor.id);
           setLoading(false);
           return; // Stay on page, show MFA modal
+        } else {
+          // MFA is required but no factor found - FORCE SIGN OUT for security
+          console.error('[Auth] SECURITY: MFA required but no verified factor found');
+          await supabase.auth.signOut();
+          toast({
+            variant: "destructive",
+            title: "Authentication Error",
+            description: "Multi-factor authentication is required but not properly configured. Please contact support."
+          });
+          setLoading(false);
+          return;
         }
       }
       
+      // ONLY show success toast if MFA was NOT required
+      if (postAuthResult.success && !postAuthResult.data.shouldRedirect) {
         // Verify session was stored
         setTimeout(async () => {
           const { data: { session } } = await supabase.auth.getSession();
@@ -176,6 +190,7 @@ export default function Auth() {
             });
           }
         }, 500);
+      }
       
     } catch (error) {
       // Reset CAPTCHA widget to force fresh token generation