Fix: Prevent AAL1 session on MFA login

2025-12-23 13:31:14 -05:00 · 2025-10-31 16:51:25 +00:00
parent f36d6266be
commit a9d4ee44e5
3 changed files with 124 additions and 37 deletions
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -119,13 +119,13 @@ export default function AuthCallback() {
          const totpFactor = factors?.totp?.find(f => f.status === 'verified');
          
          if (totpFactor) {
-            // Keep AAL1 session active for MFA verification
-            // RLS policies will block sensitive operations until AAL2
-            console.log('[AuthCallback] MFA required - keeping AAL1 session for verification');
+            // OAuth flow: We can't store the OAuth token, so we keep the AAL1 session
+            // This is unavoidable for OAuth flows - but RLS blocks sensitive operations
+            console.log('[AuthCallback] OAuth MFA required - keeping AAL1 session (OAuth limitation)');
            
            setMfaFactorId(totpFactor.id);
            setStatus('mfa_required');
-            return; // MFA modal will show, session-based MFA flow will work
+            return;
          }
        }