pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-25 09:51:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

Implement MFA Enforcement

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-14 13:45:59 +00:00
parent 121f7c533a
commit 7aa219efe5
10 changed files with 216 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/hooks/useAuth.tsx
View File

@@ -8,6 +8,7 @@ import { authLog, authWarn, authError } from '@/lib/authLogger';
interface AuthContextType {
user: User | null;
session: Session | null;
aal: 'aal1' | 'aal2' | null;
loading: boolean;
pendingEmail: string | null;
sessionError: string | null;
@@ -21,6 +22,7 @@ const AuthContext = createContext<AuthContextType | undefined>(undefined);
function AuthProviderComponent({ children }: { children: React.ReactNode }) {
const [user, setUser] = useState<User | null>(null);
const [session, setSession] = useState<Session | null>(null);
const [aal, setAal] = useState<'aal1' | 'aal2' | null>(null);
const [loading, setLoading] = useState(true);
const [pendingEmail, setPendingEmail] = useState<string | null>(null);
const [sessionError, setSessionError] = useState<string | null>(null);
@@ -84,17 +86,22 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
authLog('[Auth] SIGNED_IN - user authenticated');
setSession(session);
setUser(session.user);
const userAal = (session.user as any).aal as 'aal1' | 'aal2' | undefined;
setAal(userAal || 'aal1');
setLoading(false);
} else if (event === 'INITIAL_SESSION') {
if (session?.user) {
authLog('[Auth] INITIAL_SESSION - user exists');
setSession(session);
setUser(session.user);
const userAal = (session.user as any).aal as 'aal1' | 'aal2' | undefined;
setAal(userAal || 'aal1');
setLoading(false);
} else {
authLog('[Auth] INITIAL_SESSION - no user');
setSession(null);
setUser(null);
setAal(null);
setLoading(false);
return;
}
@@ -102,11 +109,14 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
authLog('[Auth] SIGNED_OUT - clearing state');
setSession(null);
setUser(null);
setAal(null);
setLoading(false);
return;
} else {
setSession(session);
setUser(session?.user ?? null);
const userAal = session?.user ? ((session.user as any).aal as 'aal1' | 'aal2' | undefined) : null;
setAal(userAal || null);
}
// Detect confirmed email change: email changed AND no longer pending
@@ -214,6 +224,7 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
const value = {
user,
session,
aal,
loading,
pendingEmail,
sessionError,

21
src/hooks/useRequireMFA.ts Normal file
View File

@@ -0,0 +1,21 @@
import { useAuth } from './useAuth';
import { useUserRole } from './useUserRole';
export function useRequireMFA() {
const { aal } = useAuth();
const { isModerator, isAdmin, loading } = useUserRole();
// MFA is required for moderators and admins
const requiresMFA = isModerator() || isAdmin();
// User has MFA if they have AAL2
const hasMFA = aal === 'aal2';
return {
requiresMFA,
hasMFA,
needsEnrollment: requiresMFA && !hasMFA,
aal,
loading,
};
}