feat(auth): mandatory 2FA (TOTP + WebAuthn passkeys) with hard enrollment gate, AAL2 step-up, and single-use recovery codes
This commit is contained in:
Gerhard Scheikl
+63
-20
@@ -1,6 +1,26 @@
|
||||
import { createServerClient } from '@supabase/ssr';
|
||||
import { NextResponse, type NextRequest } from 'next/server';
|
||||
|
||||
// Path prefixes that are reachable without a completed MFA step-up. These are
|
||||
// the auth flow itself, the MFA enrollment/challenge surface, their supporting
|
||||
// APIs, and public email templates. Everything else (including the root path)
|
||||
// requires aal2 once the user is authenticated.
|
||||
const MFA_ALLOWLIST = [
|
||||
'/login',
|
||||
'/signup',
|
||||
'/auth',
|
||||
'/security',
|
||||
'/api/auth',
|
||||
'/api/security',
|
||||
'/email-templates',
|
||||
];
|
||||
|
||||
function isMfaAllowlisted(path: string): boolean {
|
||||
return MFA_ALLOWLIST.some(
|
||||
(prefix) => path === prefix || path.startsWith(`${prefix}/`),
|
||||
);
|
||||
}
|
||||
|
||||
export async function middleware(request: NextRequest) {
|
||||
let response = NextResponse.next({ request });
|
||||
|
||||
@@ -27,31 +47,36 @@ export async function middleware(request: NextRequest) {
|
||||
data: { user },
|
||||
} = await supabase.auth.getUser();
|
||||
|
||||
const path = request.nextUrl.pathname;
|
||||
|
||||
// Carry any cookies Supabase rotated onto the working `response` over to a
|
||||
// deny/redirect response, so a refreshed session/refresh token is always
|
||||
// persisted — otherwise a fresh NextResponse would drop them and a
|
||||
// concurrent request could spuriously 401. Also stamp `no-store` so these
|
||||
// short-circuit responses are never cached by intermediaries or the browser.
|
||||
const withCookies = (res: NextResponse): NextResponse => {
|
||||
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
|
||||
res.headers.set('Cache-Control', 'no-store');
|
||||
return res;
|
||||
};
|
||||
|
||||
const redirectTo = (pathname: string, search = ''): NextResponse => {
|
||||
const url = request.nextUrl.clone();
|
||||
url.pathname = pathname;
|
||||
url.search = search;
|
||||
return withCookies(NextResponse.redirect(url));
|
||||
};
|
||||
|
||||
// Defense-in-depth: guard the admin surface here in addition to the
|
||||
// per-route requireAdmin()/requireAdminApi() checks.
|
||||
const path = request.nextUrl.pathname;
|
||||
if (path.startsWith('/admin') || path.startsWith('/api/admin')) {
|
||||
// Carry any cookies Supabase rotated onto the working `response` over to a
|
||||
// deny/redirect response, so a refreshed session/refresh token is always
|
||||
// persisted — otherwise a fresh NextResponse would drop them and a
|
||||
// concurrent request could spuriously 401. Also stamp `no-store` so these
|
||||
// admin deny/redirect responses (which short-circuit before the route's
|
||||
// own jsonNoStore runs) are never cached by intermediaries or the browser.
|
||||
const withCookies = (res: NextResponse): NextResponse => {
|
||||
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
|
||||
res.headers.set('Cache-Control', 'no-store');
|
||||
return res;
|
||||
};
|
||||
if (!user) {
|
||||
if (path.startsWith('/api/admin')) {
|
||||
return withCookies(
|
||||
NextResponse.json({ error: 'unauthorized' }, { status: 401 }),
|
||||
);
|
||||
}
|
||||
const url = request.nextUrl.clone();
|
||||
url.pathname = '/login';
|
||||
url.search = '';
|
||||
return withCookies(NextResponse.redirect(url));
|
||||
return redirectTo('/login');
|
||||
}
|
||||
if (user.app_metadata?.role !== 'admin') {
|
||||
if (path.startsWith('/api/admin')) {
|
||||
@@ -59,10 +84,28 @@ export async function middleware(request: NextRequest) {
|
||||
NextResponse.json({ error: 'forbidden' }, { status: 403 }),
|
||||
);
|
||||
}
|
||||
const url = request.nextUrl.clone();
|
||||
url.pathname = '/dashboard';
|
||||
url.search = '';
|
||||
return withCookies(NextResponse.redirect(url));
|
||||
return redirectTo('/dashboard');
|
||||
}
|
||||
}
|
||||
|
||||
// Mandatory MFA gate for every authenticated request outside the allowlist.
|
||||
if (user && !isMfaAllowlisted(path)) {
|
||||
const [{ data: aal }, { data: factors }] = await Promise.all([
|
||||
supabase.auth.mfa.getAuthenticatorAssuranceLevel(),
|
||||
supabase.auth.mfa.listFactors(),
|
||||
]);
|
||||
const verifiedCount =
|
||||
factors?.all.filter((f) => f.status === 'verified').length ?? 0;
|
||||
|
||||
if (verifiedCount === 0) {
|
||||
// No second factor at all → force enrollment.
|
||||
return redirectTo('/security/enroll');
|
||||
}
|
||||
if (aal?.nextLevel === 'aal2' && aal?.currentLevel === 'aal1') {
|
||||
// Has a factor but session is only aal1 → force step-up, preserving the
|
||||
// originally requested destination.
|
||||
const next = encodeURIComponent(`${path}${request.nextUrl.search}`);
|
||||
return redirectTo('/security/challenge', `?next=${next}`);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user