Fix MFA bypass vulnerability

Fix homepage date column names
Fix date filtering in homepage hooks
2025-12-28 16:27:08 -05:00 · 2025-10-31 13:41:56 +00:00 · 2025-10-31 13:32:15 +00:00 · 2025-10-31 13:28:11 +00:00
6 changed files with 30 additions and 25 deletions
--- a/src/hooks/homepage/useHomepageClosed.ts
+++ b/src/hooks/homepage/useHomepageClosed.ts
@@ -1,6 +1,7 @@
 import { useQuery } from '@tanstack/react-query';
 import { supabase } from '@/integrations/supabase/client';
 import { queryKeys } from '@/lib/queryKeys';
+import { toDateOnly } from '@/lib/dateUtils';

 export function useHomepageRecentlyClosedParks(enabled = true) {
  return useQuery({
@@ -13,9 +14,9 @@ export function useHomepageRecentlyClosedParks(enabled = true) {
      const { data, error } = await supabase
        .from('parks')
        .select(`*, location:locations(*), operator:companies!parks_operator_id_fkey(*)`)
-        .gte('closed_date', oneYearAgo.toISOString())
-        .lte('closed_date', today.toISOString())
-        .order('closed_date', { ascending: false })
+        .gte('closing_date', toDateOnly(oneYearAgo))
+        .lte('closing_date', toDateOnly(today))
+        .order('closing_date', { ascending: false })
        .limit(12);
      
      if (error) throw error;
@@ -39,9 +40,9 @@ export function useHomepageRecentlyClosedRides(enabled = true) {
      const { data, error } = await supabase
        .from('rides')
        .select(`*, park:parks(*, location:locations(*))`)
-        .gte('closed_date', oneYearAgo.toISOString())
-        .lte('closed_date', today.toISOString())
-        .order('closed_date', { ascending: false })
+        .gte('closing_date', toDateOnly(oneYearAgo))
+        .lte('closing_date', toDateOnly(today))
+        .order('closing_date', { ascending: false })
        .limit(12);
      
      if (error) throw error;
--- a/src/hooks/homepage/useHomepageClosing.ts
+++ b/src/hooks/homepage/useHomepageClosing.ts
@@ -1,6 +1,7 @@
 import { useQuery } from '@tanstack/react-query';
 import { supabase } from '@/integrations/supabase/client';
 import { queryKeys } from '@/lib/queryKeys';
+import { toDateOnly } from '@/lib/dateUtils';

 export function useHomepageClosingSoonParks(enabled = true) {
  return useQuery({
@@ -13,9 +14,9 @@ export function useHomepageClosingSoonParks(enabled = true) {
      const { data, error } = await supabase
        .from('parks')
        .select(`*, location:locations(*), operator:companies!parks_operator_id_fkey(*)`)
-        .gte('closed_date', today.toISOString())
-        .lte('closed_date', sixMonthsFromNow.toISOString())
-        .order('closed_date', { ascending: true })
+        .gte('closing_date', toDateOnly(today))
+        .lte('closing_date', toDateOnly(sixMonthsFromNow))
+        .order('closing_date', { ascending: true })
        .limit(12);
      
      if (error) throw error;
@@ -39,9 +40,9 @@ export function useHomepageClosingSoonRides(enabled = true) {
      const { data, error } = await supabase
        .from('rides')
        .select(`*, park:parks(*, location:locations(*))`)
-        .gte('closed_date', today.toISOString())
-        .lte('closed_date', sixMonthsFromNow.toISOString())
-        .order('closed_date', { ascending: true })
+        .gte('closing_date', toDateOnly(today))
+        .lte('closing_date', toDateOnly(sixMonthsFromNow))
+        .order('closing_date', { ascending: true })
        .limit(12);
      
      if (error) throw error;
--- a/src/hooks/homepage/useHomepageOpened.ts
+++ b/src/hooks/homepage/useHomepageOpened.ts
@@ -1,6 +1,7 @@
 import { useQuery } from '@tanstack/react-query';
 import { supabase } from '@/integrations/supabase/client';
 import { queryKeys } from '@/lib/queryKeys';
+import { toDateOnly } from '@/lib/dateUtils';

 export function useHomepageRecentlyOpenedParks(enabled = true) {
  return useQuery({
@@ -12,8 +13,8 @@ export function useHomepageRecentlyOpenedParks(enabled = true) {
      const { data, error } = await supabase
        .from('parks')
        .select(`*, location:locations(*), operator:companies!parks_operator_id_fkey(*)`)
-        .gte('opened_date', oneYearAgo.toISOString())
-        .order('opened_date', { ascending: false })
+        .gte('opening_date', toDateOnly(oneYearAgo))
+        .order('opening_date', { ascending: false })
        .limit(12);
      
      if (error) throw error;
@@ -36,8 +37,8 @@ export function useHomepageRecentlyOpenedRides(enabled = true) {
      const { data, error } = await supabase
        .from('rides')
        .select(`*, park:parks(*, location:locations(*))`)
-        .gte('opened_date', oneYearAgo.toISOString())
-        .order('opened_date', { ascending: false })
+        .gte('opening_date', toDateOnly(oneYearAgo))
+        .order('opening_date', { ascending: false })
        .limit(12);
      
      if (error) throw error;
--- a/src/hooks/homepage/useHomepageOpeningSoon.ts
+++ b/src/hooks/homepage/useHomepageOpeningSoon.ts
@@ -1,6 +1,7 @@
 import { useQuery } from '@tanstack/react-query';
 import { supabase } from '@/integrations/supabase/client';
 import { queryKeys } from '@/lib/queryKeys';
+import { toDateOnly } from '@/lib/dateUtils';

 export function useHomepageOpeningSoonParks(enabled = true) {
  return useQuery({
@@ -13,9 +14,9 @@ export function useHomepageOpeningSoonParks(enabled = true) {
      const { data, error } = await supabase
        .from('parks')
        .select(`*, location:locations(*), operator:companies!parks_operator_id_fkey(*)`)
-        .gte('opened_date', today.toISOString())
-        .lte('opened_date', sixMonthsFromNow.toISOString())
-        .order('opened_date', { ascending: true })
+        .gte('opening_date', toDateOnly(today))
+        .lte('opening_date', toDateOnly(sixMonthsFromNow))
+        .order('opening_date', { ascending: true })
        .limit(12);
      
      if (error) throw error;
@@ -39,9 +40,9 @@ export function useHomepageOpeningSoonRides(enabled = true) {
      const { data, error } = await supabase
        .from('rides')
        .select(`*, park:parks(*, location:locations(*))`)
-        .gte('opened_date', today.toISOString())
-        .lte('opened_date', sixMonthsFromNow.toISOString())
-        .order('opened_date', { ascending: true })
+        .gte('opening_date', toDateOnly(today))
+        .lte('opening_date', toDateOnly(sixMonthsFromNow))
+        .order('opening_date', { ascending: true })
        .limit(12);
      
      if (error) throw error;
--- a/src/hooks/useRequireMFA.ts
+++ b/src/hooks/useRequireMFA.ts
@@ -43,6 +43,7 @@ export function useRequireMFA() {
    isEnrolled,
    needsEnrollment: requiresMFA && !isEnrolled,
    needsVerification,
+    isBlocked: requiresMFA && (!isEnrolled || (isEnrolled && aal === 'aal1')), // Convenience flag
    aal,
    loading: loading || roleLoading,
  };
--- a/src/pages/AdminDashboard.tsx
+++ b/src/pages/AdminDashboard.tsx
@@ -24,7 +24,7 @@ export default function AdminDashboard() {
  useDocumentTitle('Dashboard - Admin');
  const { user, loading: authLoading } = useAuth();
  const { isModerator, loading: roleLoading } = useUserRole();
-  const { needsEnrollment, loading: mfaLoading } = useRequireMFA();
+  const { needsEnrollment, needsVerification, loading: mfaLoading } = useRequireMFA();
  const navigate = useNavigate();
  const [isRefreshing, setIsRefreshing] = useState(false);
  const [activeTab, setActiveTab] = useState('moderation');
@@ -138,8 +138,8 @@ export default function AdminDashboard() {
    return null;
  }
  
-  // MFA enforcement
-  if (needsEnrollment) {
+  // MFA enforcement - CRITICAL: Block if EITHER not enrolled OR needs verification
+  if (needsEnrollment || needsVerification) {
    return (
      <AdminLayout>
        <MFARequiredAlert />
Author	SHA1	Message	Date
gpt-engineer-app[bot]	4e4876997e	Fix MFA bypass vulnerability	2025-10-31 13:41:56 +00:00
gpt-engineer-app[bot]	47607c55e2	Fix homepage date column names	2025-10-31 13:32:15 +00:00
gpt-engineer-app[bot]	13969b32e4	Fix date filtering in homepage hooks	2025-10-31 13:28:11 +00:00