fix: superadmin 2fa login (#1544)

Author: annarhughes

components/guards/SetupMFA.tsx

@@ -1,13 +1,18 @@
 'use client';
 
-import { sendVerificationEmail, triggerInitialMFA, verifyMFA } from '@/lib/auth';
+import {
+  reauthenticateUser,
+  sendVerificationEmail,
+  triggerInitialMFA,
+  verifyMFA,
+} from '@/lib/auth';
 import { auth } from '@/lib/firebase';
 import { useTypedSelector } from '@/lib/hooks/store';
-import { Box, Button, TextField, Typography } from '@mui/material';
+import { Alert, Box, Button, TextField, Typography } from '@mui/material';
 import { useRollbar } from '@rollbar/react';
 import { useTranslations } from 'next-intl';
 import { useRouter } from 'next/navigation';
-import { useState } from 'react';
+import { useEffect, useRef, useState } from 'react';
 import PhoneInput from '../forms/PhoneInput';
 
 const buttonStyle = {
@@ -27,24 +32,89 @@ const SetupMFA = () => {
   const [verificationId, setVerificationId] = useState('');
   const [verificationCode, setVerificationCode] = useState('');
   const [error, setError] = useState('');
+  const [showReauth, setShowReauth] = useState(false);
+  const [password, setPassword] = useState('');
+  const [isReauthenticating, setIsReauthenticating] = useState(false);
+  const recaptchaContainerRef = useRef<HTMLDivElement>(null);
+  const recaptchaCleanupRef = useRef<(() => void) | null>(null);
 
+  // Clean up reCAPTCHA on unmount
+  useEffect(() => {
+    return () => {
+      if (recaptchaContainerRef.current) {
+        recaptchaContainerRef.current.innerHTML = '';
+      }
+      if (recaptchaCleanupRef.current) {
+        recaptchaCleanupRef.current();
+        recaptchaCleanupRef.current = null;
+      }
+    };
+  }, []);
+
+  const handleReauthentication = async () => {
+    if (!password.trim()) {
+      setError(t('form.passwordRequired'));
+      return;
+    }
+
+    setIsReauthenticating(true);
+    setError('');
+
+    try {
+      await reauthenticateUser(password);
+      setShowReauth(false);
+      setPassword('');
+      // Reset the MFA setup process
+      setVerificationId('');
+      setVerificationCode('');
+      setPhoneNumber('');
+    } catch (error: any) {
+      rollbar.error('Reauthentication error:', error);
+      if (error.code === 'auth/wrong-password') {
+        setError(t('form.firebase.wrongPassword'));
+      } else if (error.code === 'auth/too-many-requests') {
+        setError(t('form.firebase.tooManyAttempts'));
+      } else {
+        setError(t('form.reauthenticationError'));
+      }
+    } finally {
+      setIsReauthenticating(false);
+    }
+  };
   const handleEnrollMFA = async () => {
     if (!userVerifiedEmail) {
       setError(t('form.emailNotVerified'));
       rollbar.error('MFA setup page reached before email is verified');
       return;
     }
 
+    setError('');
+
+    // Clean up any existing reCAPTCHA before creating a new one
+    if (recaptchaContainerRef.current) {
+      recaptchaContainerRef.current.innerHTML = '';
+    }
+    if (recaptchaCleanupRef.current) {
+      recaptchaCleanupRef.current();
+      recaptchaCleanupRef.current = null;
+    }
+
     const { verificationId, error } = await triggerInitialMFA(phoneNumber);
     if (error) {
-      setError(t('form.mfaEnrollError'));
-      rollbar.error('MFA enrollment trigger error:', error);
+      if (error.code === 'auth/requires-recent-login') {
+        setShowReauth(true);
+        setError('');
+      } else {
+        setError(t('form.mfaEnrollError'));
+        rollbar.error('MFA enrollment trigger error:', error);
+      }
     } else {
       setVerificationId(verificationId!);
     }
   };
 
   const handleFinalizeMFA = async () => {
+    setError('');
     const { success, error } = await verifyMFA(verificationId, verificationCode);
     if (success) {
       router.push('/admin/dashboard');
@@ -55,18 +125,69 @@ const SetupMFA = () => {
   };
 
   const handleSendVerificationEmail = async () => {
+    setError('');
     const user = auth.currentUser;
     if (user) {
       const { error } = await sendVerificationEmail(user);
       if (error) {
+        rollbar.error('Send verification email error:', error);
         setError(t('form.emailVerificationError'));
       } else {
-        rollbar.error('Send verification email error:', error || ' Undefined');
-        setError(t('form.emailVerificationSent'));
+        // Show success message instead of error
+        setError('');
+        // You might want to show a success state here instead
       }
     }
   };
 
+  if (showReauth) {
+    return (
+      <Box>
+        <Typography variant="h3">{t('setupMFA.reauthTitle')}</Typography>
+        <Typography mb={2}>{t('setupMFA.reauthDescription')}</Typography>
+
+        <TextField
+          id="password"
+          type="password"
+          value={password}
+          onChange={(e) => setPassword(e.target.value)}
+          label={t('form.passwordLabel')}
+          fullWidth
+          variant="standard"
+          margin="normal"
+          required
+        />
+
+        {error && (
+          <Alert severity="error" sx={{ mt: 2 }}>
+            {error}
+          </Alert>
+        )}
+
+        <Box sx={{ mt: 2, display: 'flex', gap: 2 }}>
+          <Button
+            variant="outlined"
+            onClick={() => {
+              setShowReauth(false);
+              setPassword('');
+              setError('');
+            }}
+            disabled={isReauthenticating}
+          >
+            {t('setupMFA.cancelReauth')}
+          </Button>
+          <Button
+            variant="contained"
+            color="secondary"
+            onClick={handleReauthentication}
+            disabled={isReauthenticating || !password.trim()}
+          >
+            {isReauthenticating ? t('setupMFA.reauthenticating') : t('setupMFA.confirmReauth')}
+          </Button>
+        </Box>
+      </Box>
+    );
+  }
   return (
     <Box>
       <Typography variant="h3">{t('setupMFA.title')}</Typography>
@@ -93,6 +214,7 @@ const SetupMFA = () => {
         <>
           <Typography>{t('setupMFA.enterCodeHelperText')}</Typography>
           <TextField
+            id="verificationCode"
             value={verificationCode}
             onChange={(e) => setVerificationCode(e.target.value)}
             label={t('form.verificationCodeLabel')}
@@ -111,11 +233,11 @@ const SetupMFA = () => {
         </>
       )}
       {error && (
-        <Typography color="error" sx={{ mt: '1rem !important' }}>
+        <Alert severity="error" sx={{ mt: 2 }}>
           {error}
-        </Typography>
+        </Alert>
       )}
-      <div id="recaptcha-container"></div>
+      <div id="recaptcha-container" ref={recaptchaContainerRef}></div>
     </Box>
   );
 };

components/guards/VerifyMFA.tsx

@@ -7,7 +7,7 @@ import type { MultiFactorResolver } from 'firebase/auth';
 import { useTranslations } from 'next-intl';
 import { useRouter } from 'next/navigation';
 import type React from 'react'; // Added import for React
-import { useEffect, useState } from 'react';
+import { useEffect, useState, useRef } from 'react';
 
 const buttonStyle = {
   display: 'block',
@@ -28,7 +28,18 @@ const VerifyMFA: React.FC<VerifyMFAProps> = ({ resolver }) => {
   const [error, setError] = useState('');
   const router = useRouter();
   const rollbar = useRollbar();
+  const recaptchaContainerRef = useRef<HTMLDivElement>(null);
+  const hasRecaptchaRendered = useRef(false);
 
+  // Clean up reCAPTCHA on unmount
+  useEffect(() => {
+    return () => {
+      if (hasRecaptchaRendered.current && recaptchaContainerRef.current) {
+        recaptchaContainerRef.current.innerHTML = '';
+        hasRecaptchaRendered.current = false;
+      }
+    };
+  }, []);
   useEffect(() => {
     // Get the phone number from the resolver
     const hint = resolver.hints[0];
@@ -40,12 +51,20 @@ const VerifyMFA: React.FC<VerifyMFAProps> = ({ resolver }) => {
 
   const handleTriggerMFA = async () => {
     setError('');
+
+    // Clear any existing reCAPTCHA before creating a new one
+    if (recaptchaContainerRef.current) {
+      recaptchaContainerRef.current.innerHTML = '';
+      hasRecaptchaRendered.current = false;
+    }
+
     const { verificationId, error } = await triggerVerifyMFA(resolver);
     if (error) {
       rollbar.error('MFA trigger error:', error);
       setError(t('form.mfaTriggerError'));
     } else {
       setVerificationId(verificationId);
+      hasRecaptchaRendered.current = true;
     }
   };
 
@@ -92,7 +111,7 @@ const VerifyMFA: React.FC<VerifyMFAProps> = ({ resolver }) => {
           {error}
         </Typography>
       )}
-      <div id="recaptcha-container"></div>
+      <div id="recaptcha-container" ref={recaptchaContainerRef}></div>
     </Box>
   );
 };