pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-22 08:31:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix AuthModal MFA enforcement

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-31 15:57:14 +00:00
parent 151d847cd5
commit bf40d27082
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/components/auth/AuthModal.tsx
View File

@@ -126,14 +126,19 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
const postAuthResult = await handlePostAuthFlow(data.session, 'password'); const postAuthResult = await handlePostAuthFlow(data.session, 'password');
if (postAuthResult.success && postAuthResult.data.shouldRedirect) { if (postAuthResult.success && postAuthResult.data.shouldRedirect) {
// Get the TOTP factor ID // CRITICAL SECURITY FIX: Get factor BEFORE destroying session
const { data: factors } = await supabase.auth.mfa.listFactors(); const { data: factors } = await supabase.auth.mfa.listFactors();
const totpFactor = factors?.totp?.find(f => f.status === 'verified'); const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) { if (totpFactor) {
// IMMEDIATELY DESTROY THE AAL1 SESSION (same as Auth.tsx password flow)
console.log('[AuthModal] MFA required - destroying AAL1 session before challenge');
await supabase.auth.signOut();
// At this point, user has NO authenticated session
setMfaFactorId(totpFactor.id); setMfaFactorId(totpFactor.id);
setLoading(false); setLoading(false);
return; // Stay in modal, show MFA challenge return; // User has NO session - MFA modal will show
} }
} }