Overview
The application requires all users to set up 2FA using TOTP (Time-based One-Time Password) via Supabase Auth. Users cannot access the app without completing 2FA setup.How It Works
User Flow
- User logs in with email/password
- If no 2FA → redirected to
/mfa-setup - If 2FA exists but not verified → redirected to
/mfa-verify - If 2FA complete → access granted
Setup Process
- User scans QR code with authenticator app
- User enters 6-digit code to verify
- 2FA is enabled and required for future logins
Components
MfaSetupPage.tsx
- Generates QR code via Supabase
- Shows manual secret as fallback
- Verifies setup with 6-digit code
- Redirects to home when complete
MfaVerifyPage.tsx
- Prompts for 6-digit code during login
- Verifies code via Supabase
- Redirects to home when verified
MfaManagement.tsx
- Lists user’s 2FA devices
- Allows removing devices
- Handles cleanup when last device removed
Route Protection
ProtectedRoute.tsx handles the redirects:AuthContext Methods
The following methods are available inAuthContext:
enrollMfa()- Returns QR code and secret for setupverifyMfaEnrollment(factorId, code)- Verifies setup codeverifyMfaLogin(code)- Verifies login codegetMfaFactors()- Lists user’s 2FA devicesunenrollMfa(factorId)- Removes a 2FA device
Technical Details
- Uses Supabase Auth’s built-in TOTP implementation
- QR codes are generated server-side
- 30-second code rotation (standard TOTP)
- Works with any RFC 6238 compatible app (Google Authenticator, Authy, etc.)
Error Handling
Simple error handling for:- Invalid verification codes
- Network errors
- Missing factors
This is a straightforward implementation. Users who lose access to their authenticator app will need admin assistance to reset their account.