pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-21 14:31:11 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Implement RLS policies for MFA

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-31 17:12:59 +00:00
parent a9d4ee44e5
commit cdb1d0f762
10 changed files with 527 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
supabase/functions/auth-with-mfa-check/index.ts Normal file
View File

@@ -0,0 +1,128 @@
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
const corsHeaders = {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
};
const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
Deno.serve(async (req) => {
if (req.method === 'OPTIONS') {
return new Response(null, { headers: corsHeaders });
}
try {
const { email, password } = await req.json();
if (!email || !password) {
return new Response(
JSON.stringify({ error: 'Email and password are required' }),
{ status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Create admin client
const supabaseAdmin = createClient(supabaseUrl, supabaseServiceKey, {
auth: {
autoRefreshToken: false,
persistSession: false,
},
});
// Verify credentials using signInWithPassword (doesn't create session with admin client)
const { data: authData, error: authError } = await supabaseAdmin.auth.signInWithPassword({
email,
password,
});
if (authError || !authData.user) {
console.error('Auth error:', authError);
return new Response(
JSON.stringify({ error: authError?.message || 'Invalid credentials' }),
{ status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
const userId = authData.user.id;
// Check if user is banned
const { data: profile, error: profileError } = await supabaseAdmin
.from('profiles')
.select('banned, ban_reason')
.eq('user_id', userId)
.single();
if (profileError) {
console.error('Profile check error:', profileError);
}
if (profile?.banned) {
return new Response(
JSON.stringify({
error: 'Account suspended',
banned: true,
banReason: profile.ban_reason
}),
{ status: 403, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// Check for MFA enrollment
const { data: factors, error: factorsError } = await supabaseAdmin.auth.admin.mfa.listFactors({
userId,
});
if (factorsError) {
console.error('MFA factors check error:', factorsError);
// Continue - assume no MFA if check fails
}
const verifiedFactors = factors?.totp?.filter((f) => f.status === 'verified') || [];
if (verifiedFactors.length > 0) {
// User has MFA - create a challenge but don't create session
const factorId = verifiedFactors[0].id;
// Create MFA challenge
const { data: challengeData, error: challengeError } = await supabaseAdmin.auth.mfa.challenge({
factorId,
});
if (challengeError) {
console.error('Challenge creation error:', challengeError);
return new Response(
JSON.stringify({ error: 'Failed to create MFA challenge' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
return new Response(
JSON.stringify({
mfaRequired: true,
factorId,
challengeId: challengeData.id,
userId, // Needed for verification step
}),
{ status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
// No MFA required - return session
return new Response(
JSON.stringify({
mfaRequired: false,
session: authData.session,
user: authData.user,
}),
{ status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
} catch (error) {
console.error('Unexpected error:', error);
return new Response(
JSON.stringify({ error: 'Internal server error' }),
{ status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }
);
}
});