diff --git a/src/components/auth/AuthModal.tsx b/src/components/auth/AuthModal.tsx index 13c0aec8..7354876a 100644 --- a/src/components/auth/AuthModal.tsx +++ b/src/components/auth/AuthModal.tsx @@ -12,6 +12,8 @@ import { TurnstileCaptcha } from './TurnstileCaptcha'; import { notificationService } from '@/lib/notificationService'; import { useCaptchaBypass } from '@/hooks/useCaptchaBypass'; import { MFAChallenge } from './MFAChallenge'; +import { verifyMfaUpgrade } from '@/lib/authService'; +import { setAuthMethod } from '@/lib/sessionFlags'; interface AuthModalProps { open: boolean; @@ -87,6 +89,9 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod } } + // Track auth method for audit logging + setAuthMethod('password'); + toast({ title: "Welcome back!", description: "You've been signed in successfully." @@ -108,7 +113,24 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod } }; - const handleMfaSuccess = () => { + const handleMfaSuccess = async () => { + // Verify AAL upgrade was successful + const { data: { session } } = await supabase.auth.getSession(); + const verification = await verifyMfaUpgrade(session); + + if (!verification.success) { + toast({ + variant: "destructive", + title: "MFA Verification Failed", + description: verification.error || "Failed to upgrade session. Please try again." + }); + + // Force sign out on verification failure + await supabase.auth.signOut(); + setMfaFactorId(null); + return; + } + setMfaFactorId(null); onOpenChange(false); }; @@ -221,7 +243,7 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod const { error } = await supabase.auth.signInWithOtp({ email, options: { - emailRedirectTo: `${window.location.origin}/` + emailRedirectTo: `${window.location.origin}/auth/callback` } }); diff --git a/src/pages/Auth.tsx b/src/pages/Auth.tsx index 933f0406..8ce3831d 100644 --- a/src/pages/Auth.tsx +++ b/src/pages/Auth.tsx @@ -16,6 +16,8 @@ import { TurnstileCaptcha } from '@/components/auth/TurnstileCaptcha'; import { notificationService } from '@/lib/notificationService'; import { StorageWarning } from '@/components/auth/StorageWarning'; import { MFAChallenge } from '@/components/auth/MFAChallenge'; +import { verifyMfaUpgrade } from '@/lib/authService'; +import { setAuthMethod } from '@/lib/sessionFlags'; export default function Auth() { const [searchParams] = useSearchParams(); @@ -104,6 +106,9 @@ export default function Auth() { } } + // Track auth method for audit logging + setAuthMethod('password'); + console.log('[Auth] Sign in successful', { user: data.user?.email, session: !!data.session, @@ -155,7 +160,24 @@ export default function Auth() { } }; - const handleMfaSuccess = () => { + const handleMfaSuccess = async () => { + // Verify AAL upgrade was successful + const { data: { session } } = await supabase.auth.getSession(); + const verification = await verifyMfaUpgrade(session); + + if (!verification.success) { + toast({ + variant: "destructive", + title: "MFA Verification Failed", + description: verification.error || "Failed to upgrade session. Please try again." + }); + + // Force sign out on verification failure + await supabase.auth.signOut(); + setMfaFactorId(null); + return; + } + setMfaFactorId(null); toast({ title: "Welcome back!", @@ -275,7 +297,7 @@ export default function Auth() { const { error } = await supabase.auth.signInWithOtp({ email, options: { - emailRedirectTo: `${window.location.origin}/` + emailRedirectTo: `${window.location.origin}/auth/callback` } });