Fix: Implement RLS policies for MFA

2025-12-26 06:11:13 -05:00 · 2025-10-31 17:12:59 +00:00
parent a9d4ee44e5
commit cdb1d0f762
10 changed files with 527 additions and 250 deletions
--- a/supabase/migrations/20251031170759_eb961b9b-cbc0-4020-83e6-05c320c74c84.sql
+++ b/supabase/migrations/20251031170759_eb961b9b-cbc0-4020-83e6-05c320c74c84.sql
@@ -0,0 +1,65 @@
+-- Create security definer function to block AAL1 sessions when MFA is enrolled
+CREATE OR REPLACE FUNCTION public.block_aal1_with_mfa()
+RETURNS boolean
+LANGUAGE sql
+STABLE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+  SELECT 
+    CASE 
+      -- If current session is AAL1
+      WHEN (auth.jwt() ->> 'aal') = 'aal1' THEN
+        -- Check if user has verified MFA factors
+        NOT EXISTS (
+          SELECT 1 FROM auth.mfa_factors
+          WHERE user_id = auth.uid()
+          AND status = 'verified'
+        )
+      -- If AAL2 or higher, allow
+      ELSE true
+    END;
+$$;
+
+-- Apply to profiles table
+CREATE POLICY "enforce_aal2_for_mfa_users" ON public.profiles
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+-- Apply to user_roles table  
+CREATE POLICY "enforce_aal2_for_mfa_users_roles" ON public.user_roles
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+-- Apply to submission tables
+CREATE POLICY "enforce_aal2_for_mfa_users_park_sub" ON public.park_submissions
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+CREATE POLICY "enforce_aal2_for_mfa_users_ride_sub" ON public.ride_submissions
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+CREATE POLICY "enforce_aal2_for_mfa_users_company_sub" ON public.company_submissions
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+CREATE POLICY "enforce_aal2_for_mfa_users_content_sub" ON public.content_submissions
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+CREATE POLICY "enforce_aal2_for_mfa_users_photo_sub" ON public.photo_submissions
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+-- Apply to user content tables
+CREATE POLICY "enforce_aal2_for_mfa_users_reviews" ON public.reviews
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+CREATE POLICY "enforce_aal2_for_mfa_users_reports" ON public.reports
+FOR ALL
+USING (public.block_aal1_with_mfa());
+
+-- Grant execute permission
+GRANT EXECUTE ON FUNCTION public.block_aal1_with_mfa() TO authenticated;