feat: Implement MFA Step-Up for OAuth

2025-12-24 17:51:13 -05:00 · 2025-10-14 13:52:11 +00:00
parent 7aa219efe5
commit ccfa83faee
6 changed files with 225 additions and 9 deletions
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -71,6 +71,33 @@ export default function AuthCallback() {
          }
        }

+        // Check if MFA step-up is required for OAuth users
+        if (isOAuthUser) {
+          console.log('[AuthCallback] Checking MFA requirements for OAuth user...');
+          
+          try {
+            const { data: factors } = await supabase.auth.mfa.listFactors();
+            const hasMfaEnrolled = factors?.totp?.some(f => f.status === 'verified');
+            
+            const { data: { currentLevel } } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
+            
+            console.log('[AuthCallback] MFA status:', {
+              hasMfaEnrolled,
+              currentLevel,
+            });
+
+            if (hasMfaEnrolled && currentLevel === 'aal1') {
+              console.log('[AuthCallback] MFA step-up required, redirecting...');
+              sessionStorage.setItem('mfa_step_up_required', 'true');
+              navigate('/auth/mfa-step-up');
+              return;
+            }
+          } catch (error) {
+            console.error('[AuthCallback] Failed to check MFA status:', error);
+            // Continue anyway - don't block sign-in
+          }
+        }
+
        setStatus('success');
        
        // Show success message
--- a/src/pages/MFAStepUp.tsx
+++ b/src/pages/MFAStepUp.tsx
@@ -0,0 +1,116 @@
+import { useEffect, useState } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { supabase } from '@/integrations/supabase/client';
+import { useToast } from '@/hooks/use-toast';
+import { Header } from '@/components/layout/Header';
+import { MFAChallenge } from '@/components/auth/MFAChallenge';
+import { Shield } from 'lucide-react';
+
+export default function MFAStepUp() {
+  const navigate = useNavigate();
+  const { toast } = useToast();
+  const [factorId, setFactorId] = useState<string | null>(null);
+
+  useEffect(() => {
+    const checkStepUpRequired = async () => {
+      // Check if this page was accessed via proper flow
+      const needsStepUp = sessionStorage.getItem('mfa_step_up_required');
+      if (!needsStepUp) {
+        console.log('[MFAStepUp] No step-up flag found, redirecting to auth');
+        navigate('/auth');
+        return;
+      }
+
+      // Get the verified TOTP factor
+      const { data: factors } = await supabase.auth.mfa.listFactors();
+      const totpFactor = factors?.totp?.find(f => f.status === 'verified');
+      
+      if (!totpFactor) {
+        console.log('[MFAStepUp] No verified TOTP factor found');
+        toast({
+          variant: 'destructive',
+          title: 'MFA not enrolled',
+          description: 'Please enroll in two-factor authentication first.',
+        });
+        sessionStorage.removeItem('mfa_step_up_required');
+        navigate('/settings?tab=security');
+        return;
+      }
+
+      setFactorId(totpFactor.id);
+    };
+
+    checkStepUpRequired();
+  }, [navigate, toast]);
+
+  const handleSuccess = async () => {
+    console.log('[MFAStepUp] MFA verification successful');
+    
+    // Clear the step-up flag
+    sessionStorage.removeItem('mfa_step_up_required');
+    
+    toast({
+      title: 'Verification successful',
+      description: 'You now have full access to all features.',
+    });
+
+    // Redirect to home or intended destination
+    const intendedPath = sessionStorage.getItem('mfa_intended_path') || '/';
+    sessionStorage.removeItem('mfa_intended_path');
+    navigate(intendedPath);
+  };
+
+  const handleCancel = async () => {
+    console.log('[MFAStepUp] MFA verification cancelled');
+    
+    // Clear flags
+    sessionStorage.removeItem('mfa_step_up_required');
+    sessionStorage.removeItem('mfa_intended_path');
+    
+    // Sign out for security
+    await supabase.auth.signOut();
+    
+    toast({
+      title: 'Verification cancelled',
+      description: 'You have been signed out.',
+    });
+    
+    navigate('/auth');
+  };
+
+  return (
+    <div className="min-h-screen bg-background">
+      <Header />
+      
+      <main className="container mx-auto px-4 py-16">
+        <div className="max-w-md mx-auto">
+          <div className="bg-card border rounded-lg p-6 space-y-6">
+            <div className="text-center space-y-2">
+              <div className="flex justify-center">
+                <div className="h-12 w-12 rounded-full bg-primary/10 flex items-center justify-center">
+                  <Shield className="h-6 w-6 text-primary" />
+                </div>
+              </div>
+              <h2 className="text-2xl font-bold">Additional Verification Required</h2>
+              <p className="text-muted-foreground">
+                Your role requires two-factor authentication. Please verify your identity to continue.
+              </p>
+            </div>
+
+            {factorId ? (
+              <MFAChallenge
+                factorId={factorId}
+                onSuccess={handleSuccess}
+                onCancel={handleCancel}
+              />
+            ) : (
+              <div className="flex justify-center py-4">
+                <div className="animate-spin h-6 w-6 border-2 border-primary border-t-transparent rounded-full" />
+              </div>
+            )}
+          </div>
+        </div>
+      </main>
+    </div>
+  );
+}