pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-22 01:31:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Prevent AAL1 session on MFA login

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-31 16:51:25 +00:00
parent f36d6266be
commit a9d4ee44e5
3 changed files with 124 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
src/components/auth/AuthModal.tsx
View File

@@ -131,13 +131,18 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) {
// Keep AAL1 session active for MFA verification
// RLS policies will block sensitive operations until AAL2
console.log('[AuthModal] MFA required - keeping AAL1 session for verification');
// DESTROY the AAL1 session - user should NOT be logged in before MFA
console.log('[AuthModal] MFA required - destroying AAL1 session and storing credentials');
await supabase.auth.signOut();
// Store credentials in memory for re-authentication after TOTP
sessionStorage.setItem('mfa_pending_email_modal', formData.email);
sessionStorage.setItem('mfa_pending_password_modal', formData.password);
sessionStorage.setItem('mfa_factor_id_modal', totpFactor.id);
setMfaFactorId(totpFactor.id);
setLoading(false);
return; // MFA modal will show, session-based MFA flow will work
return; // User has NO session - MFA modal will show
}
}
@@ -166,30 +171,71 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
};
const handleMfaSuccess = async () => {
// Verify AAL upgrade was successful
const { data: { session } } = await supabase.auth.getSession();
const verification = await verifyMfaUpgrade(session);
console.log('[AuthModal] MFA verification succeeded');
if (!verification.success) {
// Retrieve stored credentials
const email = sessionStorage.getItem('mfa_pending_email_modal');
const password = sessionStorage.getItem('mfa_pending_password_modal');
if (!email || !password) {
console.error('[AuthModal] Missing stored credentials for re-authentication');
toast({
title: "Authentication error",
description: "Please sign in again.",
variant: "destructive",
});
setMfaFactorId(null);
return;
}
// Clear stored credentials
sessionStorage.removeItem('mfa_pending_email_modal');
sessionStorage.removeItem('mfa_pending_password_modal');
sessionStorage.removeItem('mfa_factor_id_modal');
// Re-authenticate with stored credentials - this should create AAL2 session
console.log('[AuthModal] Re-authenticating with verified credentials');
const { error: reAuthError } = await supabase.auth.signInWithPassword({
email,
password,
});
if (reAuthError) {
console.error('[AuthModal] Re-authentication failed:', reAuthError);
toast({
title: "Authentication error",
description: "Please sign in again.",
variant: "destructive",
title: "MFA Verification Failed",
description: verification.error || "Failed to upgrade session. Please try again."
});
// Force sign out on verification failure
await supabase.auth.signOut();
setMfaFactorId(null);
return;
}
setMfaFactorId(null);
toast({
title: "Authentication complete",
description: "You've been signed in successfully.",
});
onOpenChange(false);
};
const handleMfaCancel = () => {
const handleMfaCancel = async () => {
console.log('[AuthModal] User cancelled MFA verification');
// Clear stored credentials
sessionStorage.removeItem('mfa_pending_email_modal');
sessionStorage.removeItem('mfa_pending_password_modal');
sessionStorage.removeItem('mfa_factor_id_modal');
setMfaFactorId(null);
setSignInCaptchaKey(prev => prev + 1);
toast({
title: "Authentication cancelled",
description: "Please sign in again when you're ready to complete two-factor authentication.",
});
};
const handleSignUp = async (e: React.FormEvent) => {