Fix: Implement MFA enforcement and critical bug fix

2025-12-20 12:31:26 -05:00 · 2025-10-17 19:43:43 +00:00
parent ba11773eb6
commit 8a36c71edb
7 changed files with 547 additions and 0 deletions
--- a/supabase/functions/process-selective-approval/index.ts
+++ b/supabase/functions/process-selective-approval/index.ts
@@ -115,6 +115,39 @@ serve(async (req) => {
      );
    }

+    // Phase 2: AAL2 Enforcement - Check if user has MFA enrolled and requires AAL2
+    const { data: { session } } = await supabaseAuth.auth.getSession();
+    if (!session) {
+      return new Response(
+        JSON.stringify({ error: 'No active session found.' }),
+        { status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
+      );
+    }
+
+    // Check if user has MFA enrolled
+    const { data: factorsData } = await supabaseAuth.auth.mfa.listFactors();
+    const hasMFA = factorsData?.totp?.some(f => f.status === 'verified') || false;
+
+    // Parse JWT to get AAL level
+    const jwt = session.access_token;
+    const payload = JSON.parse(atob(jwt.split('.')[1]));
+    const aal = payload.aal || 'aal1';
+
+    // Enforce AAL2 if MFA is enrolled
+    if (hasMFA && aal !== 'aal2') {
+      console.error('AAL2 required but session is at AAL1', { userId: authenticatedUserId });
+      return new Response(
+        JSON.stringify({ 
+          error: 'MFA verification required',
+          code: 'AAL2_REQUIRED',
+          message: 'Your role requires two-factor authentication. Please verify your identity to continue.'
+        }),
+        { status: 403, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
+      );
+    }
+
+    console.log('AAL2 check passed', { userId: authenticatedUserId, hasMFA, aal });
+
    const { itemIds, submissionId }: ApprovalRequest = await req.json();

    // UUID validation regex