Improve security by requiring higher authentication levels for sensitive actions

Update authentication flows to enforce AAL2 requirements for MFA operations and identity disconnections, and adjust TOTP verification logic. Replit-Commit-Author: Agent Replit-Commit-Session-Id: da324197-4d44-4e4b-b342-fe8ae33cf0cf Replit-Commit-Checkpoint-Type: intermediate_checkpoint
2025-12-21 10:11:12 -05:00 · 2025-10-27 23:53:33 +00:00
parent 64f82c9ac2
commit d1f01d9228
5 changed files with 62 additions and 9 deletions
--- a/src/components/settings/PasswordUpdateDialog.tsx
+++ b/src/components/settings/PasswordUpdateDialog.tsx
@@ -225,9 +225,16 @@ export function PasswordUpdateDialog({ open, onOpenChange, onSuccess }: Password

    setLoading(true);
    try {
-      // Verify TOTP code
+      // Get the factor ID first
+      const factorId = (await supabase.auth.mfa.listFactors()).data?.totp?.[0]?.id || '';
+      
+      if (!factorId) {
+        throw new Error('No MFA factor found');
+      }
+      
+      // Create challenge
      const { data: challengeData, error: challengeError } = await supabase.auth.mfa.challenge({
-        factorId: (await supabase.auth.mfa.listFactors()).data?.totp?.[0]?.id || ''
+        factorId
      });

      if (challengeError) {
@@ -240,8 +247,9 @@ export function PasswordUpdateDialog({ open, onOpenChange, onSuccess }: Password
        throw challengeError;
      }

+      // Verify TOTP code with correct factorId
      const { error: verifyError } = await supabase.auth.mfa.verify({
-        factorId: challengeData.id,
+        factorId,
        challengeId: challengeData.id,
        code: totpCode
      });