feat: Implement MFA Step-Up for OAuth

src/components/auth/TOTPSetup.tsx

@@ -111,16 +111,31 @@ export function TOTPSetup() {
 
       if (verifyError) throw verifyError;
 
+      // Check if user signed in via OAuth
+      const { data: { session } } = await supabase.auth.getSession();
+      const provider = session?.user?.app_metadata?.provider;
+      const isOAuthUser = provider === 'google' || provider === 'discord';
+
       toast({
         title: 'TOTP Enabled',
-        description: 'Please sign in again to activate MFA protection.'
+        description: isOAuthUser 
+          ? 'Please verify with your authenticator code to continue.' 
+          : 'Please sign in again to activate MFA protection.'
       });
 
-      // Force sign out to get new session with AAL2
-      setTimeout(async () => {
-        await supabase.auth.signOut();
-        window.location.href = '/auth';
-      }, 2000);
+      if (isOAuthUser) {
+        // For OAuth users, trigger step-up flow immediately
+        setTimeout(() => {
+          sessionStorage.setItem('mfa_step_up_required', 'true');
+          window.location.href = '/auth/mfa-step-up';
+        }, 1500);
+      } else {
+        // For email/password users, force sign out to require MFA on next login
+        setTimeout(async () => {
+          await supabase.auth.signOut();
+          window.location.href = '/auth';
+        }, 2000);
+      }
     } catch (error: any) {
       toast({
         title: 'Error',