57 lines
1.4 KiB
TypeScript
57 lines
1.4 KiB
TypeScript
import type { SupabaseClient } from '@supabase/supabase-js';
|
|
|
|
import { Database } from '@kit/supabase/database';
|
|
|
|
/**
|
|
* @name ENFORCE_MFA
|
|
* @description Set this constant to true if you want the SuperAdmin user to
|
|
* sign in using MFA when accessing the Admin page
|
|
*/
|
|
const ENFORCE_MFA = false;
|
|
|
|
/**
|
|
* @name isUserSuperAdmin
|
|
* @description Checks if the current user is an admin by checking the
|
|
* user_metadata.role field in Supabase Auth is set to a SuperAdmin role.
|
|
*/
|
|
const isUserSuperAdmin = async (params: {
|
|
client: SupabaseClient<Database>;
|
|
enforceMfa?: boolean;
|
|
}) => {
|
|
const enforceMfa = params.enforceMfa ?? ENFORCE_MFA;
|
|
const { data, error } = await params.client.auth.getUser();
|
|
|
|
if (error) {
|
|
return false;
|
|
}
|
|
|
|
// If we enforce MFA, we need to check that the user is MFA authenticated.
|
|
if (enforceMfa) {
|
|
const isMfaAuthenticated = await verifyIsMultiFactorAuthenticated(
|
|
params.client,
|
|
);
|
|
|
|
if (!isMfaAuthenticated) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
const adminMetadata = data.user?.app_metadata;
|
|
const role = adminMetadata?.role;
|
|
|
|
return role === 'super-admin';
|
|
};
|
|
|
|
export default isUserSuperAdmin;
|
|
|
|
async function verifyIsMultiFactorAuthenticated(client: SupabaseClient) {
|
|
const { data, error } =
|
|
await client.auth.mfa.getAuthenticatorAssuranceLevel();
|
|
|
|
if (error || !data) {
|
|
return false;
|
|
}
|
|
|
|
return data.currentLevel === 'aal2';
|
|
}
|