Enforce RLS when user opted in to MFA. (#188)

* Allow Super Admin to view tables using RLS * Replace previous usages of the Admin client using the authed client using the new RLS * Enforce MFA for Super Admin users * Enforce RLS when user opted in to MFA. * Add Super Admin Access Policies and Update Database Types * Consolidate super admin logic into a single function that uses the RPC is_super_admin * Added Super Admin E2E tests * Fixes and improvements * Bump version to 2.5.0
2025-03-02 10:21:01 +07:00
parent 9cf7bf0aac
commit 131b1061e6
61 changed files with 2193 additions and 302 deletions
--- a/apps/web/middleware.ts
+++ b/apps/web/middleware.ts
@@ -3,6 +3,7 @@ import { NextResponse, URLPattern } from 'next/server';

 import { CsrfError, createCsrfProtect } from '@edge-csrf/nextjs';

+import { isSuperAdmin } from '@kit/admin';
 import { checkRequiresMultiFactorAuthentication } from '@kit/supabase/check-requires-mfa';
 import { createMiddlewareClient } from '@kit/supabase/middleware-client';

@@ -115,22 +116,11 @@ async function adminMiddleware(request: NextRequest, response: NextResponse) {
    );
  }

-  const supabase = createMiddlewareClient(request, response);
-
-  const requiresMultiFactorAuthentication =
-    await checkRequiresMultiFactorAuthentication(supabase);
-
-  // If user requires multi-factor authentication, redirect to MFA page.
-  if (requiresMultiFactorAuthentication) {
-    return NextResponse.redirect(
-      new URL(pathsConfig.auth.verifyMfa, origin).href,
-    );
-  }
-
-  const role = user?.app_metadata.role;
+  const client = createMiddlewareClient(request, response);
+  const userIsSuperAdmin = await isSuperAdmin(client);

  // If user is not an admin, redirect to 404 page.
-  if (!role || role !== 'super-admin') {
+  if (!userIsSuperAdmin) {
    return NextResponse.redirect(new URL('/404', request.nextUrl.origin).href);
  }