fix mfa login after keycloak

2025-10-04 17:36:36 +03:00
parent 7d90b5b910
commit 3f17b82fdb
5 changed files with 58 additions and 14 deletions
--- a/packages/features/auth/src/components/multi-factor-challenge-container.tsx
+++ b/packages/features/auth/src/components/multi-factor-challenge-container.tsx
@@ -46,8 +46,13 @@ export function MultiFactorChallengeContainer({
  const router = useRouter();

  const verifyMFAChallenge = useVerifyMFAChallenge({
-    onSuccess: () => {
-      router.replace(paths.redirectPath);
+    onSuccess: async () => {
+      try {
+        await fetch('/api/after-mfa', { method: 'POST' });
+        router.replace(paths.redirectPath);
+      } catch (err) {
+        // ignore
+      }
    },
  });

--- a/packages/supabase/src/auth-callback.service.ts
+++ b/packages/supabase/src/auth-callback.service.ts
@@ -1,7 +1,5 @@
 import 'server-only';

-import getBaseWebpackConfig from 'next/dist/build/webpack-config';
-
 import {
  AuthError,
  type EmailOtpType,
@@ -9,6 +7,8 @@ import {
  User,
 } from '@supabase/supabase-js';

+import { checkRequiresMultiFactorAuthentication } from './check-requires-mfa';
+
 /**
 * @name createAuthCallbackService
 * @description Creates an instance of the AuthCallbackService
@@ -137,10 +137,12 @@ class AuthCallbackService {
    | {
        isSuccess: boolean;
        user: User;
+        requiresMultiFactorAuthentication: boolean;
      }
    | ErrorURLParameters
  > {
    let user: User;
+    let requiresMultiFactorAuthentication: boolean;
    try {
      const { data, error } =
        await this.client.auth.exchangeCodeForSession(authCode);
@@ -153,8 +155,14 @@ class AuthCallbackService {
        });
      }

-      // Handle Keycloak users - set up Medusa integration
-      if (data?.user && this.isKeycloakUser(data.user)) {
+      requiresMultiFactorAuthentication =
+        await checkRequiresMultiFactorAuthentication(this.client);
+
+      if (
+        !requiresMultiFactorAuthentication &&
+        data?.user &&
+        this.isKeycloakUser(data.user)
+      ) {
        await this.setupMedusaUserForKeycloak(data.user);
      }

@@ -179,20 +187,21 @@ class AuthCallbackService {
    return {
      isSuccess: true,
      user,
+      requiresMultiFactorAuthentication,
    };
  }

  /**
   * Check if user is from Keycloak provider
   */
-  private isKeycloakUser(user: any): boolean {
+  isKeycloakUser(user: any): boolean {
    return (
      user?.app_metadata?.provider === 'keycloak' ||
      user?.app_metadata?.providers?.includes('keycloak')
    );
  }

-  private async setupMedusaUserForKeycloak(user: any): Promise<void> {
+  async setupMedusaUserForKeycloak(user: any): Promise<void> {
    if (!user.email) {
      console.warn('Keycloak user has no email, skipping Medusa setup');
      return;
@@ -285,6 +294,7 @@ interface ErrorURLParameters {
  error: string;
  code?: string;
  searchParams: string;
+  requiresMultiFactorAuthentication: boolean;
 }

 export function getErrorURLParameters({
@@ -313,6 +323,7 @@ export function getErrorURLParameters({
    error: errorMessage,
    code: code ?? '',
    searchParams: searchParams.toString(),
+    requiresMultiFactorAuthentication: false,
  };
 }