Support MFA in auth-redirect plugin #371
Comments
|
Currently implementing this myself and was hoping the module would be able to handle this for me. My current thinking is adding a challenge step into the /confirm route. WHat solution did you come up with @xmatthias and would you mind sharing? |
|
Essentially - i created a middleware in my app as follows - called it export default defineNuxtRouteMiddleware(async (to) => {
const config = useRuntimeConfig().public.supabase;
const { callback } = config.redirectOptions;
const mfaRoute = '/account/mfa/challange';
const isExcluded = [callback, mfaRoute]?.some((path) => {
const regex = new RegExp(`^${path.replace(/\*/g, '.*')}$`);
return regex.test(to.path);
});
if (isExcluded) return;
const user = useSupabaseUser();
if (user.value) {
if ((user.value.factors?.length ?? 0) > 0) {
// User has factors ...
const supabase = useSupabaseClient();
const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
if (error) {
console.error('Error getting mfa assurance level', error);
return;
}
if (data) {
if (data.currentLevel != 'aal2' && data.nextLevel == 'aal2') {
// Redirect to MFA page
return navigateTo(mfaRoute);
}
}
}
}
});It's effectively a (reduced) copy of the middleware found in this repository (reduced as the middleware from nuxt/supabase applies anyway) - so i suspect incorporating this into the actual middleware would be pretty simple - obviously on a conditional level. Now i'd be happy to provide a PR for that - but so far, there's been no interaction from maintainers, so i'm not sure if it's worth the time to create a PR - if it's then going to be ignored. |
|
@xmatthias Thanks for the help! |
Is your feature request related to a problem? Please describe.
I'm in the progress of setting up an MFA process to my app.
Obviously after setup, the MFA should (for users that have it enabled) require MFA right after login.
In my understanding of nuxt, this should be done as part of a (global) middleware - checking if the MFA challange is missing and redirecting the user to that location.
While the supabase documentation for this is pretty straightforward for setup - i think the "challange step to login" step is not - at least not how it's best implemented / enforced in a nuxt application.
Describe the solution you'd like
An (optional) feature added to auth-redirect which automatically redirects the user to a
/mfa-challangeroute (obiviously configurable) if MFA is required (essentially, for the aal1-> aal2 step).In my understanding so far, there could be a check of the "factors" array of the user object to check if 2FA factors are set up - and if they are, an additional call to
supabase.auth.mfa.getAuthenticatorAssuranceLevel()can be made - which will determine if a redirect to/mfa-challangewill be necessary.Describe alternatives you've considered
Implement my own middleware to handle the same thing.
While this will certainly work - it'll mean there will be 2 handlers performing almost identical logic, which will certainly impact performance.
Considering this is also a security feature - it should probably not be left to every developer on it's own to figure out.
The text was updated successfully, but these errors were encountered: