Refactor: Implement AAL2 enforcement fix

src/hooks/useAdminGuard.ts

@@ -44,7 +44,7 @@ export interface AdminGuardState {
 export function useAdminGuard(requireMFA: boolean = true): AdminGuardState {
   const { user, loading: authLoading } = useAuth();
   const { isModerator, loading: roleLoading } = useUserRole();
-  const { needsEnrollment, loading: mfaLoading } = useRequireMFA();
+  const { needsEnrollment, needsVerification, loading: mfaLoading } = useRequireMFA();
   const navigate = useNavigate();
 
   // Auto-redirect based on auth state
@@ -60,7 +60,8 @@ export function useAdminGuard(requireMFA: boolean = true): AdminGuardState {
 
   const isLoading = authLoading || roleLoading || mfaLoading;
   const isAuthorized = !!user && isModerator();
-  const needsMFA = requireMFA && needsEnrollment;
+  // Block access if EITHER not enrolled OR session is at AAL1 (needs verification)
+  const needsMFA = requireMFA && (needsEnrollment || needsVerification);
 
   return {
     isLoading,

src/hooks/useRequireMFA.ts

@@ -34,11 +34,15 @@ export function useRequireMFA() {
   // User has MFA if they have AAL2 AND have enrolled factors
   const hasMFA = aal === 'aal2' && isEnrolled;
   
+  // User needs to verify MFA if they're enrolled but session is still at AAL1
+  const needsVerification = requiresMFA && isEnrolled && aal === 'aal1';
+  
   return {
     requiresMFA,
     hasMFA,
     isEnrolled,
     needsEnrollment: requiresMFA && !isEnrolled,
+    needsVerification,
     aal,
     loading: loading || roleLoading,
   };