Cleanup

2024-03-24 02:23:22 +08:00
parent 648d77b430
commit bce3479368
589 changed files with 37067 additions and 9596 deletions
--- a/apps/web/app/admin/utils/is-user-super-admin.ts
+++ b/apps/web/app/admin/utils/is-user-super-admin.ts
@@ -0,0 +1,56 @@
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+import { Database } from '@kit/supabase/database';
+
+/**
+ * @name ENFORCE_MFA
+ * @description Set this constant to true if you want the SuperAdmin user to
+ * sign in using MFA when accessing the Admin page
+ */
+const ENFORCE_MFA = false;
+
+/**
+ * @name isUserSuperAdmin
+ * @description Checks if the current user is an admin by checking the
+ * user_metadata.role field in Supabase Auth is set to a SuperAdmin role.
+ */
+const isUserSuperAdmin = async (params: {
+  client: SupabaseClient<Database>;
+  enforceMfa?: boolean;
+}) => {
+  const enforceMfa = params.enforceMfa ?? ENFORCE_MFA;
+  const { data, error } = await params.client.auth.getUser();
+
+  if (error) {
+    return false;
+  }
+
+  // If we enforce MFA, we need to check that the user is MFA authenticated.
+  if (enforceMfa) {
+    const isMfaAuthenticated = await verifyIsMultiFactorAuthenticated(
+      params.client,
+    );
+
+    if (!isMfaAuthenticated) {
+      return false;
+    }
+  }
+
+  const adminMetadata = data.user?.app_metadata;
+  const role = adminMetadata?.role;
+
+  return role === 'super-admin';
+};
+
+export default isUserSuperAdmin;
+
+async function verifyIsMultiFactorAuthenticated(client: SupabaseClient) {
+  const { data, error } =
+    await client.auth.mfa.getAuthenticatorAssuranceLevel();
+
+  if (error || !data) {
+    return false;
+  }
+
+  return data.currentLevel === 'aal2';
+}