fix: udpate session

supabase · Sep 5, 2024 · 1b25838 · 1b25838
1 parent 7c0a128
commit 1b25838
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/internal/api/user.go b/internal/api/user.go
@@ -91,9 +91,6 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 	session := getSession(ctx)
 	// Change to check for verified
 	// Allow for metadata update
-	if len(user.Factors) != 0 && session.AAL != models.AAL2 {
-		return unauthorizedError("need aal2")
-	}
 
 	if err := a.validateUserUpdateParams(ctx, params); err != nil {
 		return err
@@ -105,6 +102,19 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	numVerifiedFactors := 0
+	for _, factor := range user.Factors {
+		if factor.IsVerified() {
+			numVerifiedFactors++
+		}
+	}
+
+	if numVerifiedFactors > 0 && !session.IsAAL2() {
+		if (params.Password != nil && *params.Password != "") || params.Email != "" && user.GetEmail() != params.Email {
+			return httpError(http.StatusUnauthorized, ErrorCodeInsufficientAAL, "AAL2 session is required to update email or password when MFA is enabled.")
+		}
+	}
+
 	if user.IsAnonymous {
 		if params.Password != nil && *params.Password != "" {
 			if params.Email == "" && params.Phone == "" {