feat: Complete Auth.tsx and AuthModal.tsx updates

src/components/auth/AuthModal.tsx

@@ -12,6 +12,8 @@ import { TurnstileCaptcha } from './TurnstileCaptcha';
 import { notificationService } from '@/lib/notificationService';
 import { useCaptchaBypass } from '@/hooks/useCaptchaBypass';
 import { MFAChallenge } from './MFAChallenge';
+import { verifyMfaUpgrade } from '@/lib/authService';
+import { setAuthMethod } from '@/lib/sessionFlags';
 
 interface AuthModalProps {
   open: boolean;
@@ -87,6 +89,9 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
         }
       }
       
+      // Track auth method for audit logging
+      setAuthMethod('password');
+      
       toast({
         title: "Welcome back!",
         description: "You've been signed in successfully."
@@ -108,7 +113,24 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
     }
   };
 
-  const handleMfaSuccess = () => {
+  const handleMfaSuccess = async () => {
+    // Verify AAL upgrade was successful
+    const { data: { session } } = await supabase.auth.getSession();
+    const verification = await verifyMfaUpgrade(session);
+    
+    if (!verification.success) {
+      toast({
+        variant: "destructive",
+        title: "MFA Verification Failed",
+        description: verification.error || "Failed to upgrade session. Please try again."
+      });
+      
+      // Force sign out on verification failure
+      await supabase.auth.signOut();
+      setMfaFactorId(null);
+      return;
+    }
+    
     setMfaFactorId(null);
     onOpenChange(false);
   };
@@ -221,7 +243,7 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
       const { error } = await supabase.auth.signInWithOtp({
         email,
         options: {
-          emailRedirectTo: `${window.location.origin}/`
+          emailRedirectTo: `${window.location.origin}/auth/callback`
         }
       });
       

src/pages/Auth.tsx

@@ -16,6 +16,8 @@ import { TurnstileCaptcha } from '@/components/auth/TurnstileCaptcha';
 import { notificationService } from '@/lib/notificationService';
 import { StorageWarning } from '@/components/auth/StorageWarning';
 import { MFAChallenge } from '@/components/auth/MFAChallenge';
+import { verifyMfaUpgrade } from '@/lib/authService';
+import { setAuthMethod } from '@/lib/sessionFlags';
 
 export default function Auth() {
   const [searchParams] = useSearchParams();
@@ -104,6 +106,9 @@ export default function Auth() {
         }
       }
       
+      // Track auth method for audit logging
+      setAuthMethod('password');
+      
       console.log('[Auth] Sign in successful', {
         user: data.user?.email,
         session: !!data.session,
@@ -155,7 +160,24 @@ export default function Auth() {
     }
   };
 
-  const handleMfaSuccess = () => {
+  const handleMfaSuccess = async () => {
+    // Verify AAL upgrade was successful
+    const { data: { session } } = await supabase.auth.getSession();
+    const verification = await verifyMfaUpgrade(session);
+    
+    if (!verification.success) {
+      toast({
+        variant: "destructive",
+        title: "MFA Verification Failed",
+        description: verification.error || "Failed to upgrade session. Please try again."
+      });
+      
+      // Force sign out on verification failure
+      await supabase.auth.signOut();
+      setMfaFactorId(null);
+      return;
+    }
+    
     setMfaFactorId(null);
     toast({
       title: "Welcome back!",
@@ -275,7 +297,7 @@ export default function Auth() {
       const { error } = await supabase.auth.signInWithOtp({
         email,
         options: {
-          emailRedirectTo: `${window.location.origin}/`
+          emailRedirectTo: `${window.location.origin}/auth/callback`
         }
       });