From 68c6d51d33d5d62b285a4168f489310aa83e448e Mon Sep 17 00:00:00 2001 From: Giancarlo Buomprisco Date: Sun, 23 Feb 2025 07:44:15 +0700 Subject: [PATCH] Add MFA Flow also to Super Admin (#186) * Add MFA flow to Super Admin checks --- apps/web/middleware.ts | 12 ++++++++++++ .../admin/src/lib/server/utils/is-super-admin.ts | 9 +++++++++ 2 files changed, 21 insertions(+) diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index fe1ebf677..34b6ec29d 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -115,6 +115,18 @@ async function adminMiddleware(request: NextRequest, response: NextResponse) { ); } + const supabase = createMiddlewareClient(request, response); + + const requiresMultiFactorAuthentication = + await checkRequiresMultiFactorAuthentication(supabase); + + // If user requires multi-factor authentication, redirect to MFA page. + if (requiresMultiFactorAuthentication) { + return NextResponse.redirect( + new URL(pathsConfig.auth.verifyMfa, origin).href, + ); + } + const role = user?.app_metadata.role; // If user is not an admin, redirect to 404 page. diff --git a/packages/features/admin/src/lib/server/utils/is-super-admin.ts b/packages/features/admin/src/lib/server/utils/is-super-admin.ts index 1b0deaec1..16b34589d 100644 --- a/packages/features/admin/src/lib/server/utils/is-super-admin.ts +++ b/packages/features/admin/src/lib/server/utils/is-super-admin.ts @@ -1,5 +1,6 @@ import { SupabaseClient } from '@supabase/supabase-js'; +import { checkRequiresMultiFactorAuthentication } from '@kit/supabase/check-requires-mfa'; import { Database } from '@kit/supabase/database'; /** @@ -18,6 +19,14 @@ export async function isSuperAdmin(client: SupabaseClient) { return false; } + const requiresMultiFactorAuthentication = + await checkRequiresMultiFactorAuthentication(client); + + // If user requires multi-factor authentication, deny access. + if (requiresMultiFactorAuthentication) { + return false; + } + const appMetadata = data.user.app_metadata; return appMetadata?.role === 'super-admin';