mirror of
https://github.com/pacnpal/thrilltrack-explorer.git
synced 2025-12-24 06:31:14 -05:00
Fix: Implement RLS policies for MFA
This commit is contained in:
gpt-engineer-app[bot]
@@ -38,6 +38,8 @@ export default function Auth() {
|
||||
const [signInCaptchaKey, setSignInCaptchaKey] = useState(0);
|
||||
const [mfaFactorId, setMfaFactorId] = useState<string | null>(null);
|
||||
const [mfaPendingEmail, setMfaPendingEmail] = useState<string | null>(null);
|
||||
const [mfaChallengeId, setMfaChallengeId] = useState<string | null>(null);
|
||||
const [mfaPendingUserId, setMfaPendingUserId] = useState<string | null>(null);
|
||||
|
||||
const emailParam = searchParams.get('email');
|
||||
const messageParam = searchParams.get('message');
|
||||
@@ -93,114 +95,66 @@ export default function Auth() {
|
||||
setSignInCaptchaToken(null);
|
||||
|
||||
try {
|
||||
const {
|
||||
data,
|
||||
error
|
||||
} = await supabase.auth.signInWithPassword({
|
||||
email: formData.email,
|
||||
password: formData.password,
|
||||
options: {
|
||||
captchaToken: tokenToUse
|
||||
// Call server-side auth check with MFA detection
|
||||
const { data: authResult, error: authError } = await supabase.functions.invoke(
|
||||
'auth-with-mfa-check',
|
||||
{
|
||||
body: {
|
||||
email: formData.email,
|
||||
password: formData.password,
|
||||
captchaToken: tokenToUse,
|
||||
},
|
||||
}
|
||||
});
|
||||
|
||||
if (error) throw error;
|
||||
);
|
||||
|
||||
// CRITICAL: Check ban status immediately after successful authentication
|
||||
const { data: profile } = await supabase
|
||||
.from('profiles')
|
||||
.select('banned, ban_reason')
|
||||
.eq('user_id', data.user.id)
|
||||
.single();
|
||||
|
||||
if (profile?.banned) {
|
||||
// Sign out immediately
|
||||
await supabase.auth.signOut();
|
||||
|
||||
const reason = profile.ban_reason
|
||||
? `Reason: ${profile.ban_reason}`
|
||||
if (authError || authResult.error) {
|
||||
throw new Error(authResult?.error || authError?.message || 'Authentication failed');
|
||||
}
|
||||
|
||||
// Check if user is banned
|
||||
if (authResult.banned) {
|
||||
const reason = authResult.banReason
|
||||
? `Reason: ${authResult.banReason}`
|
||||
: 'Contact support for assistance.';
|
||||
|
||||
|
||||
toast({
|
||||
variant: "destructive",
|
||||
title: "Account Suspended",
|
||||
description: `Your account has been suspended. ${reason}`,
|
||||
duration: 10000
|
||||
duration: 10000,
|
||||
});
|
||||
setLoading(false);
|
||||
return; // Stop authentication flow
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if MFA is required (user exists but no session)
|
||||
if (data.user && !data.session) {
|
||||
const totpFactor = data.user.factors?.find(f => f.factor_type === 'totp' && f.status === 'verified');
|
||||
|
||||
if (totpFactor) {
|
||||
setMfaFactorId(totpFactor.id);
|
||||
setLoading(false);
|
||||
return;
|
||||
}
|
||||
// Check if MFA is required
|
||||
if (authResult.mfaRequired) {
|
||||
// NO SESSION EXISTS YET - show MFA challenge
|
||||
console.log('[Auth] MFA required - no session created yet');
|
||||
setMfaFactorId(authResult.factorId);
|
||||
setMfaChallengeId(authResult.challengeId);
|
||||
setMfaPendingUserId(authResult.userId);
|
||||
setLoading(false);
|
||||
return; // User has NO session - MFA modal will show
|
||||
}
|
||||
|
||||
// No MFA required - user has session
|
||||
console.log('[Auth] No MFA required - user authenticated');
|
||||
|
||||
// Track auth method for audit logging
|
||||
setAuthMethod('password');
|
||||
|
||||
// Check if MFA step-up is required
|
||||
const { handlePostAuthFlow } = await import('@/lib/authService');
|
||||
const postAuthResult = await handlePostAuthFlow(data.session, 'password');
|
||||
|
||||
if (postAuthResult.success && postAuthResult.data.shouldRedirect) {
|
||||
// MFA IS REQUIRED - we must show the challenge or sign out
|
||||
const { data: factors } = await supabase.auth.mfa.listFactors();
|
||||
const totpFactor = factors?.totp?.find(f => f.status === 'verified');
|
||||
|
||||
if (totpFactor) {
|
||||
// DESTROY the AAL1 session - user should NOT be logged in before MFA
|
||||
console.log('[Auth] MFA required - destroying AAL1 session and storing credentials');
|
||||
await supabase.auth.signOut();
|
||||
|
||||
// Store credentials in memory for re-authentication after TOTP
|
||||
sessionStorage.setItem('mfa_pending_email', formData.email);
|
||||
sessionStorage.setItem('mfa_pending_password', formData.password);
|
||||
sessionStorage.setItem('mfa_factor_id', totpFactor.id);
|
||||
|
||||
setMfaPendingEmail(formData.email);
|
||||
setMfaFactorId(totpFactor.id);
|
||||
setLoading(false);
|
||||
return; // User has NO session - MFA modal will show
|
||||
} else {
|
||||
// MFA is required but no factor found - FORCE SIGN OUT for security
|
||||
console.error('[Auth] SECURITY: MFA required but no verified factor found');
|
||||
await supabase.auth.signOut();
|
||||
toast({
|
||||
variant: "destructive",
|
||||
title: "Authentication Error",
|
||||
description: "Multi-factor authentication is required but not properly configured. Please contact support."
|
||||
});
|
||||
setLoading(false);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// ONLY show success toast if MFA was NOT required
|
||||
if (postAuthResult.success && !postAuthResult.data.shouldRedirect) {
|
||||
// Verify session was stored
|
||||
setTimeout(async () => {
|
||||
const { data: { session } } = await supabase.auth.getSession();
|
||||
if (!session) {
|
||||
toast({
|
||||
variant: "destructive",
|
||||
title: "Session Error",
|
||||
description: "Login succeeded but session was not stored. Please check your browser settings and enable cookies/storage."
|
||||
});
|
||||
} else {
|
||||
toast({
|
||||
title: "Welcome back!",
|
||||
description: "You've been signed in successfully."
|
||||
});
|
||||
}
|
||||
}, 500);
|
||||
// Set the session in Supabase client
|
||||
if (authResult.session) {
|
||||
await supabase.auth.setSession(authResult.session);
|
||||
}
|
||||
|
||||
toast({
|
||||
title: "Welcome back!",
|
||||
description: "You've been signed in successfully."
|
||||
});
|
||||
|
||||
// Navigate after brief delay
|
||||
setTimeout(() => {
|
||||
navigate('/');
|
||||
}, 500);
|
||||
|
||||
} catch (error) {
|
||||
// Reset CAPTCHA widget to force fresh token generation
|
||||
@@ -211,11 +165,11 @@ export default function Auth() {
|
||||
// Enhanced error messages
|
||||
const errorMsg = getErrorMessage(error);
|
||||
let errorMessage = errorMsg;
|
||||
if (errorMsg.includes('Invalid login credentials')) {
|
||||
if (errorMsg.includes('Invalid login credentials') || errorMsg.includes('Invalid credentials')) {
|
||||
errorMessage = 'Invalid email or password. Please try again.';
|
||||
} else if (errorMsg.includes('Email not confirmed')) {
|
||||
errorMessage = 'Please confirm your email address before signing in.';
|
||||
} else if (error.message.includes('Too many requests')) {
|
||||
} else if (errorMsg.includes('Too many requests')) {
|
||||
errorMessage = 'Too many login attempts. Please wait a few minutes and try again.';
|
||||
}
|
||||
|
||||
@@ -230,50 +184,16 @@ export default function Auth() {
|
||||
};
|
||||
|
||||
const handleMfaSuccess = async () => {
|
||||
console.log('[Auth] MFA verification succeeded');
|
||||
console.log('[Auth] MFA verification succeeded - no further action needed');
|
||||
|
||||
// Retrieve stored credentials
|
||||
const email = sessionStorage.getItem('mfa_pending_email');
|
||||
const password = sessionStorage.getItem('mfa_pending_password');
|
||||
|
||||
if (!email || !password) {
|
||||
console.error('[Auth] Missing stored credentials for re-authentication');
|
||||
toast({
|
||||
title: "Authentication error",
|
||||
description: "Please sign in again.",
|
||||
variant: "destructive",
|
||||
});
|
||||
setMfaFactorId(null);
|
||||
setMfaPendingEmail(null);
|
||||
return;
|
||||
}
|
||||
|
||||
// Clear stored credentials
|
||||
sessionStorage.removeItem('mfa_pending_email');
|
||||
sessionStorage.removeItem('mfa_pending_password');
|
||||
sessionStorage.removeItem('mfa_factor_id');
|
||||
|
||||
// Re-authenticate with stored credentials - this should create AAL2 session
|
||||
console.log('[Auth] Re-authenticating with verified credentials');
|
||||
const { error: reAuthError } = await supabase.auth.signInWithPassword({
|
||||
email,
|
||||
password,
|
||||
});
|
||||
|
||||
if (reAuthError) {
|
||||
console.error('[Auth] Re-authentication failed:', reAuthError);
|
||||
toast({
|
||||
title: "Authentication error",
|
||||
description: "Please sign in again.",
|
||||
variant: "destructive",
|
||||
});
|
||||
setMfaFactorId(null);
|
||||
setMfaPendingEmail(null);
|
||||
return;
|
||||
}
|
||||
// MFA verification is handled by MFAChallenge component
|
||||
// which calls verify-mfa-and-login edge function
|
||||
// The session is automatically set by the edge function
|
||||
|
||||
// Clear state
|
||||
setMfaFactorId(null);
|
||||
setMfaPendingEmail(null);
|
||||
setMfaChallengeId(null);
|
||||
setMfaPendingUserId(null);
|
||||
|
||||
toast({
|
||||
title: "Authentication complete",
|
||||
@@ -288,13 +208,10 @@ export default function Auth() {
|
||||
const handleMfaCancel = async () => {
|
||||
console.log('[Auth] User cancelled MFA verification');
|
||||
|
||||
// Clear stored credentials
|
||||
sessionStorage.removeItem('mfa_pending_email');
|
||||
sessionStorage.removeItem('mfa_pending_password');
|
||||
sessionStorage.removeItem('mfa_factor_id');
|
||||
|
||||
// Clear state - no credentials stored
|
||||
setMfaFactorId(null);
|
||||
setMfaPendingEmail(null);
|
||||
setMfaChallengeId(null);
|
||||
setMfaPendingUserId(null);
|
||||
setSignInCaptchaKey(prev => prev + 1);
|
||||
|
||||
toast({
|
||||
@@ -520,6 +437,8 @@ export default function Auth() {
|
||||
|
||||
<MFAChallenge
|
||||
factorId={mfaFactorId}
|
||||
challengeId={mfaChallengeId}
|
||||
userId={mfaPendingUserId}
|
||||
onSuccess={handleMfaSuccess}
|
||||
onCancel={handleMfaCancel}
|
||||
/>
|
||||
|
||||
Reference in New Issue
Block a user