From 5292045e7aef18025106723b2ad2185ad07bac5b Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Fri, 17 Oct 2025 19:25:51 +0000
Subject: [PATCH] Refactor: Implement AAL2 enforcement fix

---
 src/hooks/useAdminGuard.ts | 5 +++--
 src/hooks/useRequireMFA.ts | 4 ++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/hooks/useAdminGuard.ts b/src/hooks/useAdminGuard.ts
index eed95641..ed304dc0 100644
--- a/src/hooks/useAdminGuard.ts
+++ b/src/hooks/useAdminGuard.ts
@@ -44,7 +44,7 @@ export interface AdminGuardState {
 export function useAdminGuard(requireMFA: boolean = true): AdminGuardState {
   const { user, loading: authLoading } = useAuth();
   const { isModerator, loading: roleLoading } = useUserRole();
-  const { needsEnrollment, loading: mfaLoading } = useRequireMFA();
+  const { needsEnrollment, needsVerification, loading: mfaLoading } = useRequireMFA();
   const navigate = useNavigate();
 
   // Auto-redirect based on auth state
@@ -60,7 +60,8 @@ export function useAdminGuard(requireMFA: boolean = true): AdminGuardState {
 
   const isLoading = authLoading || roleLoading || mfaLoading;
   const isAuthorized = !!user && isModerator();
-  const needsMFA = requireMFA && needsEnrollment;
+  // Block access if EITHER not enrolled OR session is at AAL1 (needs verification)
+  const needsMFA = requireMFA && (needsEnrollment || needsVerification);
 
   return {
     isLoading,
diff --git a/src/hooks/useRequireMFA.ts b/src/hooks/useRequireMFA.ts
index 07886d75..7ae841a2 100644
--- a/src/hooks/useRequireMFA.ts
+++ b/src/hooks/useRequireMFA.ts
@@ -34,11 +34,15 @@ export function useRequireMFA() {
   // User has MFA if they have AAL2 AND have enrolled factors
   const hasMFA = aal === 'aal2' && isEnrolled;
   
+  // User needs to verify MFA if they're enrolled but session is still at AAL1
+  const needsVerification = requiresMFA && isEnrolled && aal === 'aal1';
+  
   return {
     requiresMFA,
     hasMFA,
     isEnrolled,
     needsEnrollment: requiresMFA && !isEnrolled,
+    needsVerification,
     aal,
     loading: loading || roleLoading,
   };