Enforce RLS when user opted in to MFA. (#188)

* Allow Super Admin to view tables using RLS * Replace previous usages of the Admin client using the authed client using the new RLS * Enforce MFA for Super Admin users * Enforce RLS when user opted in to MFA. * Add Super Admin Access Policies and Update Database Types * Consolidate super admin logic into a single function that uses the RPC is_super_admin * Added Super Admin E2E tests * Fixes and improvements * Bump version to 2.5.0
2025-03-02 10:21:01 +07:00
parent 9cf7bf0aac
commit 131b1061e6
61 changed files with 2193 additions and 302 deletions
--- a/packages/features/accounts/src/components/personal-account-dropdown.tsx
+++ b/packages/features/accounts/src/components/personal-account-dropdown.tsx
@@ -76,7 +76,13 @@ export function PersonalAccountDropdown({
    personalAccountData?.name ?? account?.name ?? user?.email ?? '';

  const isSuperAdmin = useMemo(() => {
-    return user?.app_metadata.role === 'super-admin';
+    const factors = user?.factors ?? [];
+    const hasAdminRole = user?.app_metadata.role === 'super-admin';
+    const hasTotpFactor = factors.some(
+      (factor) => factor.factor_type === 'totp' && factor.status === 'verified',
+    );
+
+    return hasAdminRole && hasTotpFactor;
  }, [user]);

  return (
@@ -179,12 +185,14 @@ export function PersonalAccountDropdown({

          <DropdownMenuItem asChild>
            <Link
-              className={'s-full flex cursor-pointer items-center space-x-2'}
+              className={
+                's-full flex cursor-pointer items-center space-x-2 text-yellow-700 dark:text-yellow-500'
+              }
              href={'/admin'}
            >
              <Shield className={'h-5'} />

-              <span>Admin</span>
+              <span>Super Admin</span>
            </Link>
          </DropdownMenuItem>
        </If>