pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 12:11:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Remove signOut() calls before MFA

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-31 16:37:36 +00:00
parent bf40d27082
commit f36d6266be
3 changed files with 12 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/components/auth/AuthModal.tsx
View File

@@ -131,14 +131,13 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
const totpFactor = factors?.totp?.find(f => f.status === 'verified'); const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) { if (totpFactor) {
// IMMEDIATELY DESTROY THE AAL1 SESSION (same as Auth.tsx password flow) // Keep AAL1 session active for MFA verification
console.log('[AuthModal] MFA required - destroying AAL1 session before challenge'); // RLS policies will block sensitive operations until AAL2
await supabase.auth.signOut(); console.log('[AuthModal] MFA required - keeping AAL1 session for verification');
// At this point, user has NO authenticated session
setMfaFactorId(totpFactor.id); setMfaFactorId(totpFactor.id);
setLoading(false); setLoading(false);
return; // User has NO session - MFA modal will show return; // MFA modal will show, session-based MFA flow will work
} }
} }

11
src/pages/Auth.tsx
View File

@@ -155,17 +155,14 @@ export default function Auth() {
const totpFactor = factors?.totp?.find(f => f.status === 'verified'); const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) { if (totpFactor) {
// CRITICAL SECURITY FIX: IMMEDIATELY DESTROY THE AAL1 SESSION // Keep AAL1 session active for MFA verification
// The user MUST NOT have any active session before completing MFA // RLS policies will block sensitive operations until AAL2
console.log('[Auth] MFA required - destroying AAL1 session before challenge'); console.log('[Auth] MFA required - keeping AAL1 session for verification');
await supabase.auth.signOut();
// Store email and factor ID in component state ONLY
// At this point, user has NO authenticated session
setMfaPendingEmail(formData.email); setMfaPendingEmail(formData.email);
setMfaFactorId(totpFactor.id); setMfaFactorId(totpFactor.id);
setLoading(false); setLoading(false);
return; // User has NO session - MFA modal will show return; // MFA modal will show, session-based MFA flow will work
} else { } else {
// MFA is required but no factor found - FORCE SIGN OUT for security // MFA is required but no factor found - FORCE SIGN OUT for security
console.error('[Auth] SECURITY: MFA required but no verified factor found'); console.error('[Auth] SECURITY: MFA required but no verified factor found');

9
src/pages/AuthCallback.tsx
View File

@@ -119,14 +119,13 @@ export default function AuthCallback() {
const totpFactor = factors?.totp?.find(f => f.status === 'verified'); const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) { if (totpFactor) {
// IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow) // Keep AAL1 session active for MFA verification
console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge'); // RLS policies will block sensitive operations until AAL2
await supabase.auth.signOut(); console.log('[AuthCallback] MFA required - keeping AAL1 session for verification');
// At this point, user has NO authenticated session
setMfaFactorId(totpFactor.id); setMfaFactorId(totpFactor.id);
setStatus('mfa_required'); setStatus('mfa_required');
return; // User has NO session - MFA modal will show return; // MFA modal will show, session-based MFA flow will work
} }
} }