LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): server-side guard preventing removal of last MFA factor

Browse Source
This commit is contained in:
Gerhard Scheikl
2026-05-31 23:02:40 +02:00
parent f68fd22d2b
commit 2256f8359b
2 changed files with 80 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/security/security-client.tsx
+14 -2
View File
@@ -50,8 +50,20 @@ export function SecurityClient({
setNotice(null);
setBusyId(id);
try {
const { error } = await supabase.auth.mfa.unenroll({ factorId: id });
if (error) throw error;
const res = await fetch('/api/security/unenroll', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ factorId: id }),
});
if (!res.ok) {
const json = (await res.json().catch(() => null)) as {
error?: string;
} | null;
if (json?.error === 'cannot_remove_last_factor') {
throw new Error('You must keep at least one two-factor method enabled.');
}
throw new Error(json?.error || 'Could not remove this method.');
}
router.refresh();
} catch (e) {
setError((e as Error).message);