Fix MFA bypass vulnerability

src/hooks/useRequireMFA.ts

@@ -43,6 +43,7 @@ export function useRequireMFA() {
     isEnrolled,
     needsEnrollment: requiresMFA && !isEnrolled,
     needsVerification,
+    isBlocked: requiresMFA && (!isEnrolled || (isEnrolled && aal === 'aal1')), // Convenience flag
     aal,
     loading: loading || roleLoading,
   };

src/pages/AdminDashboard.tsx

@@ -24,7 +24,7 @@ export default function AdminDashboard() {
   useDocumentTitle('Dashboard - Admin');
   const { user, loading: authLoading } = useAuth();
   const { isModerator, loading: roleLoading } = useUserRole();
-  const { needsEnrollment, loading: mfaLoading } = useRequireMFA();
+  const { needsEnrollment, needsVerification, loading: mfaLoading } = useRequireMFA();
   const navigate = useNavigate();
   const [isRefreshing, setIsRefreshing] = useState(false);
   const [activeTab, setActiveTab] = useState('moderation');
@@ -138,8 +138,8 @@ export default function AdminDashboard() {
     return null;
   }
   
-  // MFA enforcement
+  // MFA enforcement - CRITICAL: Block if EITHER not enrolled OR needs verification
-  if (needsEnrollment) {
+  if (needsEnrollment || needsVerification) {
     return (
       <AdminLayout>
         <MFARequiredAlert />