fix: restrict mfa enrollment to aal2 if verified factors are present (#…

…1439) ## What kind of change does this PR introduce? as per internal discussion Co-authored-by: Kang Ming <kang.ming1996@gmail.com>
supabase · Feb 19, 2024 · 7e10d45 · 7e10d45
1 parent f974bdb
commit 7e10d45
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/internal/api/mfa.go b/internal/api/mfa.go
@@ -62,6 +62,7 @@ const (
 func (a *API) EnrollFactor(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	user := getUser(ctx)
+	session := getSession(ctx)
 	config := a.config
 
 	params := &EnrollFactorParams{}
@@ -110,6 +111,10 @@ func (a *API) EnrollFactor(w http.ResponseWriter, r *http.Request) error {
 		return forbiddenError("Maximum number of enrolled factors reached, unenroll to continue")
 	}
 
+	if numVerifiedFactors > 0 && !session.IsAAL2() {
+		return forbiddenError("AAL2 required to enroll a new factor")
+	}
+
 	key, err := totp.Generate(totp.GenerateOpts{
 		Issuer:      issuer,
 		AccountName: user.GetEmail(),