Implement MFA Enforcement

2025-12-21 22:51:12 -05:00 · 2025-10-14 13:45:59 +00:00
parent 121f7c533a
commit 7aa219efe5
10 changed files with 216 additions and 12 deletions
--- a/src/hooks/useAuth.tsx
+++ b/src/hooks/useAuth.tsx
@@ -8,6 +8,7 @@ import { authLog, authWarn, authError } from '@/lib/authLogger';
 interface AuthContextType {
  user: User | null;
  session: Session | null;
+  aal: 'aal1' | 'aal2' | null;
  loading: boolean;
  pendingEmail: string | null;
  sessionError: string | null;
@@ -21,6 +22,7 @@ const AuthContext = createContext<AuthContextType | undefined>(undefined);
 function AuthProviderComponent({ children }: { children: React.ReactNode }) {
  const [user, setUser] = useState<User | null>(null);
  const [session, setSession] = useState<Session | null>(null);
+  const [aal, setAal] = useState<'aal1' | 'aal2' | null>(null);
  const [loading, setLoading] = useState(true);
  const [pendingEmail, setPendingEmail] = useState<string | null>(null);
  const [sessionError, setSessionError] = useState<string | null>(null);
@@ -84,17 +86,22 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
        authLog('[Auth] SIGNED_IN - user authenticated');
        setSession(session);
        setUser(session.user);
+        const userAal = (session.user as any).aal as 'aal1' | 'aal2' | undefined;
+        setAal(userAal || 'aal1');
        setLoading(false);
      } else if (event === 'INITIAL_SESSION') {
        if (session?.user) {
          authLog('[Auth] INITIAL_SESSION - user exists');
          setSession(session);
          setUser(session.user);
+          const userAal = (session.user as any).aal as 'aal1' | 'aal2' | undefined;
+          setAal(userAal || 'aal1');
          setLoading(false);
        } else {
          authLog('[Auth] INITIAL_SESSION - no user');
          setSession(null);
          setUser(null);
+          setAal(null);
          setLoading(false);
          return;
        }
@@ -102,11 +109,14 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
        authLog('[Auth] SIGNED_OUT - clearing state');
        setSession(null);
        setUser(null);
+        setAal(null);
        setLoading(false);
        return;
      } else {
        setSession(session);
        setUser(session?.user ?? null);
+        const userAal = session?.user ? ((session.user as any).aal as 'aal1' | 'aal2' | undefined) : null;
+        setAal(userAal || null);
      }
      
      // Detect confirmed email change: email changed AND no longer pending
@@ -214,6 +224,7 @@ function AuthProviderComponent({ children }: { children: React.ReactNode }) {
  const value = {
    user,
    session,
+    aal,
    loading,
    pendingEmail,
    sessionError,