Fix: Remove signOut() calls before MFA

2025-12-20 10:11:13 -05:00 · 2025-10-31 16:37:36 +00:00
parent bf40d27082
commit f36d6266be
3 changed files with 12 additions and 17 deletions
--- a/src/components/auth/AuthModal.tsx
+++ b/src/components/auth/AuthModal.tsx
@@ -131,14 +131,13 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
        const totpFactor = factors?.totp?.find(f => f.status === 'verified');
        
        if (totpFactor) {
-          // IMMEDIATELY DESTROY THE AAL1 SESSION (same as Auth.tsx password flow)
-          console.log('[AuthModal] MFA required - destroying AAL1 session before challenge');
-          await supabase.auth.signOut();
+          // Keep AAL1 session active for MFA verification
+          // RLS policies will block sensitive operations until AAL2
+          console.log('[AuthModal] MFA required - keeping AAL1 session for verification');
          
-          // At this point, user has NO authenticated session
          setMfaFactorId(totpFactor.id);
          setLoading(false);
-          return; // User has NO session - MFA modal will show
+          return; // MFA modal will show, session-based MFA flow will work
        }
      }
      
--- a/src/pages/Auth.tsx
+++ b/src/pages/Auth.tsx
@@ -155,17 +155,14 @@ export default function Auth() {
        const totpFactor = factors?.totp?.find(f => f.status === 'verified');
        
        if (totpFactor) {
-          // CRITICAL SECURITY FIX: IMMEDIATELY DESTROY THE AAL1 SESSION
-          // The user MUST NOT have any active session before completing MFA
-          console.log('[Auth] MFA required - destroying AAL1 session before challenge');
-          await supabase.auth.signOut();
+          // Keep AAL1 session active for MFA verification
+          // RLS policies will block sensitive operations until AAL2
+          console.log('[Auth] MFA required - keeping AAL1 session for verification');
          
-          // Store email and factor ID in component state ONLY
-          // At this point, user has NO authenticated session
          setMfaPendingEmail(formData.email);
          setMfaFactorId(totpFactor.id);
          setLoading(false);
-          return; // User has NO session - MFA modal will show
+          return; // MFA modal will show, session-based MFA flow will work
        } else {
          // MFA is required but no factor found - FORCE SIGN OUT for security
          console.error('[Auth] SECURITY: MFA required but no verified factor found');
--- a/src/pages/AuthCallback.tsx
+++ b/src/pages/AuthCallback.tsx
@@ -119,14 +119,13 @@ export default function AuthCallback() {
          const totpFactor = factors?.totp?.find(f => f.status === 'verified');
          
          if (totpFactor) {
-            // IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow)
-            console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge');
-            await supabase.auth.signOut();
+            // Keep AAL1 session active for MFA verification
+            // RLS policies will block sensitive operations until AAL2
+            console.log('[AuthCallback] MFA required - keeping AAL1 session for verification');
            
-            // At this point, user has NO authenticated session
            setMfaFactorId(totpFactor.id);
            setStatus('mfa_required');
-            return; // User has NO session - MFA modal will show
+            return; // MFA modal will show, session-based MFA flow will work
          }
        }