Fix: Implement MFA enforcement and critical bug fix

src/components/settings/PasswordUpdateDialog.tsx

@@ -101,6 +101,30 @@ export function PasswordUpdateDialog({ open, onOpenChange, onSuccess }: Password
       return;
     }
 
+    // Phase 4: AAL2 check for security-critical operations
+    if (hasMFA) {
+      const { data: { session } } = await supabase.auth.getSession();
+      if (session) {
+        const jwt = session.access_token;
+        const payload = JSON.parse(atob(jwt.split('.')[1]));
+        const currentAal = payload.aal || 'aal1';
+        
+        if (currentAal !== 'aal2') {
+          handleError(
+            new AppError(
+              'Please verify your identity with MFA first',
+              'AAL2_REQUIRED'
+            ),
+            { action: 'Change password', userId, metadata: { step: 'aal2_check' } }
+          );
+          sessionStorage.setItem('mfa_step_up_required', 'true');
+          sessionStorage.setItem('mfa_intended_path', '/settings?tab=security');
+          window.location.href = '/auth';
+          return;
+        }
+      }
+    }
+
     setLoading(true);
     try {
       // Step 1: Reauthenticate with current password to get a nonce