pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-29 01:27:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: pacnpal:bf40d270826c83395fd122fefb24a3a9340a48c9
Branches Tags
pacnpal:main pacnpal:dev pacnpal:edit/edt-5d4e06f4-a087-42e0-80bb-a43139fa066b pacnpal:edit/edt-3a0af0c5-3daa-4be8-b4ab-a9fa03de0373 pacnpal:edit/edt-f369b8ce-d150-4532-a6a0-2ba80ace6b58 pacnpal:edit/edt-6e45b77e-1d54-4173-af1a-dcbcd886645d pacnpal:edit/edt-6eb47d5c-853d-43ab-96a7-16a5cc006c30 pacnpal:edit/edt-9a567ba5-b52f-46b3-bdef-b847b9ba7963 pacnpal:edit/edt-61e75a20-f83d-40b2-8bc4-b6ff40b23450 pacnpal:edit/edt-22d9eca7-0c70-44d8-865d-791ef884dfbd pacnpal:edit/edt-ffd226b0-af99-491b-b6b8-3fe0063e0082 pacnpal:edit/edt-a95a840d-e7e7-4f9e-aa25-03bb68194aee pacnpal:django-backend pacnpal:claude/audit-django-migration-011CUw4bfUEAsSoD5BpMRCtK pacnpal:claude/pipeline-error-handling-011CUujxQjLLS8RcB1jtZoT5
..
compare: pacnpal:a9d4ee44e530a109b0172d447705b18a41dfa99e
Branches Tags
pacnpal:main pacnpal:dev pacnpal:edit/edt-5d4e06f4-a087-42e0-80bb-a43139fa066b pacnpal:edit/edt-3a0af0c5-3daa-4be8-b4ab-a9fa03de0373 pacnpal:edit/edt-f369b8ce-d150-4532-a6a0-2ba80ace6b58 pacnpal:edit/edt-6e45b77e-1d54-4173-af1a-dcbcd886645d pacnpal:edit/edt-6eb47d5c-853d-43ab-96a7-16a5cc006c30 pacnpal:edit/edt-9a567ba5-b52f-46b3-bdef-b847b9ba7963 pacnpal:edit/edt-61e75a20-f83d-40b2-8bc4-b6ff40b23450 pacnpal:edit/edt-22d9eca7-0c70-44d8-865d-791ef884dfbd pacnpal:edit/edt-ffd226b0-af99-491b-b6b8-3fe0063e0082 pacnpal:edit/edt-a95a840d-e7e7-4f9e-aa25-03bb68194aee pacnpal:django-backend pacnpal:claude/audit-django-migration-011CUw4bfUEAsSoD5BpMRCtK pacnpal:claude/pipeline-error-handling-011CUujxQjLLS8RcB1jtZoT5

2 Commits
bf40d27082 ... a9d4ee44e5

Author SHA1 Message Date
gpt-engineer-app[bot]
a9d4ee44e5 Fix: Prevent AAL1 session on MFA login 2025-10-31 16:51:25 +00:00
gpt-engineer-app[bot]
f36d6266be Fix: Remove signOut() calls before MFA 2025-10-31 16:37:36 +00:00
3 changed files with 120 additions and 38 deletions
Expand all files Collapse all files

69
src/components/auth/AuthModal.tsx
View File

@@ -131,11 +131,15 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) {
// IMMEDIATELY DESTROY THE AAL1 SESSION (same as Auth.tsx password flow)
console.log('[AuthModal] MFA required - destroying AAL1 session before challenge');
// DESTROY the AAL1 session - user should NOT be logged in before MFA
console.log('[AuthModal] MFA required - destroying AAL1 session and storing credentials');
await supabase.auth.signOut();
// At this point, user has NO authenticated session
// Store credentials in memory for re-authentication after TOTP
sessionStorage.setItem('mfa_pending_email_modal', formData.email);
sessionStorage.setItem('mfa_pending_password_modal', formData.password);
sessionStorage.setItem('mfa_factor_id_modal', totpFactor.id);
setMfaFactorId(totpFactor.id);
setLoading(false);
return; // User has NO session - MFA modal will show
@@ -167,30 +171,71 @@ export function AuthModal({ open, onOpenChange, defaultTab = 'signin' }: AuthMod
};
const handleMfaSuccess = async () => {
// Verify AAL upgrade was successful
const { data: { session } } = await supabase.auth.getSession();
const verification = await verifyMfaUpgrade(session);
console.log('[AuthModal] MFA verification succeeded');
if (!verification.success) {
// Retrieve stored credentials
const email = sessionStorage.getItem('mfa_pending_email_modal');
const password = sessionStorage.getItem('mfa_pending_password_modal');
if (!email || !password) {
console.error('[AuthModal] Missing stored credentials for re-authentication');
toast({
title: "Authentication error",
description: "Please sign in again.",
variant: "destructive",
title: "MFA Verification Failed",
description: verification.error || "Failed to upgrade session. Please try again."
});
setMfaFactorId(null);
return;
}
// Clear stored credentials
sessionStorage.removeItem('mfa_pending_email_modal');
sessionStorage.removeItem('mfa_pending_password_modal');
sessionStorage.removeItem('mfa_factor_id_modal');
// Re-authenticate with stored credentials - this should create AAL2 session
console.log('[AuthModal] Re-authenticating with verified credentials');
const { error: reAuthError } = await supabase.auth.signInWithPassword({
email,
password,
});
// Force sign out on verification failure
await supabase.auth.signOut();
if (reAuthError) {
console.error('[AuthModal] Re-authentication failed:', reAuthError);
toast({
title: "Authentication error",
description: "Please sign in again.",
variant: "destructive",
});
setMfaFactorId(null);
return;
}
setMfaFactorId(null);
toast({
title: "Authentication complete",
description: "You've been signed in successfully.",
});
onOpenChange(false);
};
const handleMfaCancel = () => {
const handleMfaCancel = async () => {
console.log('[AuthModal] User cancelled MFA verification');
// Clear stored credentials
sessionStorage.removeItem('mfa_pending_email_modal');
sessionStorage.removeItem('mfa_pending_password_modal');
sessionStorage.removeItem('mfa_factor_id_modal');
setMfaFactorId(null);
setSignInCaptchaKey(prev => prev + 1);
toast({
title: "Authentication cancelled",
description: "Please sign in again when you're ready to complete two-factor authentication.",
});
};
const handleSignUp = async (e: React.FormEvent) => {

76
src/pages/Auth.tsx
View File

@@ -155,13 +155,15 @@ export default function Auth() {
const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) {
// CRITICAL SECURITY FIX: IMMEDIATELY DESTROY THE AAL1 SESSION
// The user MUST NOT have any active session before completing MFA
console.log('[Auth] MFA required - destroying AAL1 session before challenge');
// DESTROY the AAL1 session - user should NOT be logged in before MFA
console.log('[Auth] MFA required - destroying AAL1 session and storing credentials');
await supabase.auth.signOut();
// Store email and factor ID in component state ONLY
// At this point, user has NO authenticated session
// Store credentials in memory for re-authentication after TOTP
sessionStorage.setItem('mfa_pending_email', formData.email);
sessionStorage.setItem('mfa_pending_password', formData.password);
sessionStorage.setItem('mfa_factor_id', totpFactor.id);
setMfaPendingEmail(formData.email);
setMfaFactorId(totpFactor.id);
setLoading(false);
@@ -228,40 +230,76 @@ export default function Auth() {
};
const handleMfaSuccess = async () => {
// Verify AAL upgrade was successful
const { data: { session } } = await supabase.auth.getSession();
const verification = await verifyMfaUpgrade(session);
console.log('[Auth] MFA verification succeeded');
if (!verification.success) {
// Retrieve stored credentials
const email = sessionStorage.getItem('mfa_pending_email');
const password = sessionStorage.getItem('mfa_pending_password');
if (!email || !password) {
console.error('[Auth] Missing stored credentials for re-authentication');
toast({
title: "Authentication error",
description: "Please sign in again.",
variant: "destructive",
title: "MFA Verification Failed",
description: verification.error || "Failed to upgrade session. Please try again."
});
setMfaFactorId(null);
setMfaPendingEmail(null);
return;
}
// Clear stored credentials
sessionStorage.removeItem('mfa_pending_email');
sessionStorage.removeItem('mfa_pending_password');
sessionStorage.removeItem('mfa_factor_id');
// Re-authenticate with stored credentials - this should create AAL2 session
console.log('[Auth] Re-authenticating with verified credentials');
const { error: reAuthError } = await supabase.auth.signInWithPassword({
email,
password,
});
// Force sign out on verification failure
await supabase.auth.signOut();
if (reAuthError) {
console.error('[Auth] Re-authentication failed:', reAuthError);
toast({
title: "Authentication error",
description: "Please sign in again.",
variant: "destructive",
});
setMfaFactorId(null);
setMfaPendingEmail(null);
return;
}
setMfaFactorId(null);
setMfaPendingEmail(null);
toast({
title: "Welcome back!",
description: "You've been signed in successfully."
title: "Authentication complete",
description: "You've been signed in successfully.",
});
setTimeout(() => {
navigate('/');
}, 500);
};
const handleMfaCancel = async () => {
// Clear state variables
console.log('[Auth] User cancelled MFA verification');
// Clear stored credentials
sessionStorage.removeItem('mfa_pending_email');
sessionStorage.removeItem('mfa_pending_password');
sessionStorage.removeItem('mfa_factor_id');
setMfaFactorId(null);
setMfaPendingEmail(null);
setSignInCaptchaKey(prev => prev + 1);
toast({
title: "Sign in cancelled",
description: "Two-factor authentication is required for your account. Please sign in again and complete MFA verification.",
variant: "destructive"
title: "Authentication cancelled",
description: "Please sign in again when you're ready to complete two-factor authentication.",
});
};
const handleSignUp = async (e: React.FormEvent) => {

9
src/pages/AuthCallback.tsx
View File

@@ -119,14 +119,13 @@ export default function AuthCallback() {
const totpFactor = factors?.totp?.find(f => f.status === 'verified');
if (totpFactor) {
// IMMEDIATELY DESTROY THE AAL1 SESSION (same as password flow)
console.log('[AuthCallback] MFA required - destroying AAL1 session before challenge');
await supabase.auth.signOut();
// OAuth flow: We can't store the OAuth token, so we keep the AAL1 session
// This is unavoidable for OAuth flows - but RLS blocks sensitive operations
console.log('[AuthCallback] OAuth MFA required - keeping AAL1 session (OAuth limitation)');
// At this point, user has NO authenticated session
setMfaFactorId(totpFactor.id);
setStatus('mfa_required');
return; // User has NO session - MFA modal will show
return;
}
}