fix: mfa verify now works with refresh token algorithm v2 (#2246)

hf · fadymak · web-flow · commit 4e8275f915c4 · 2025-11-06T14:02:48.000+01:00
Verification didn't work as MFA verify issues a new refresh token. This
was not moved to support v2 refresh tokens.

---------

Co-authored-by: issuedat &lt;165281975+issuedat@users.noreply.github.com&gt;
diff --git a/internal/api/token.go b/internal/api/token.go
@@ -7,6 +7,7 @@ import (
 	"github.com/gofrs/uuid"
 
 	"github.com/supabase/auth/internal/api/apierrors"
+	"github.com/supabase/auth/internal/crypto"
 	"github.com/supabase/auth/internal/hooks/v0hooks"
 	"github.com/supabase/auth/internal/metering"
 	"github.com/supabase/auth/internal/models"
@@ -303,7 +304,8 @@ func (a *API) updateMFASessionAndClaims(r *http.Request, tx *storage.Connection,
 	config := a.config
 	var tokenString string
 	var expiresAt int64
-	var refreshToken *models.RefreshToken
+	var issuedRefreshToken string
+
 	currentClaims := getClaims(ctx)
 	sessionId, err := uuid.FromString(currentClaims.SessionId)
 	if err != nil {
@@ -325,11 +327,36 @@ func (a *API) updateMFASessionAndClaims(r *http.Request, tx *storage.Connection,
 		if err := tx.Load(user, "Identities"); err != nil {
 			return err
 		}
-		// Swap to ensure current token is the latest one
-		refreshToken, terr = models.GrantRefreshTokenSwap(config.AuditLog, r, tx, user, currentToken)
-		if terr != nil {
-			return terr
+
+		// issue a new refresh token on successful verification
+		if session.RefreshTokenHmacKey != nil && session.RefreshTokenCounter != nil {
+			signingKey, _, terr := session.GetRefreshTokenHmacKey(config.Security.DBEncryption)
+			if terr != nil {
+				return apierrors.NewInternalServerError("Failed to get session's refresh token key").WithInternalError(terr)
+			}
+
+			counter := *session.RefreshTokenCounter + 1
+			session.RefreshTokenCounter = &counter
+
+			issuedRefreshToken = (&crypto.RefreshToken{
+				Version:   0,
+				SessionID: session.ID,
+				Counter:   *session.RefreshTokenCounter,
+			}).Encode(signingKey)
+
+			if terr := session.UpdateOnlyRefreshToken(tx); terr != nil {
+				return apierrors.NewInternalServerError("Failed to update session").WithInternalError(terr)
+			}
+		} else {
+			// Legacy RTs: swap to ensure current token is the latest one
+			refreshToken, terr := models.GrantRefreshTokenSwap(config.AuditLog, r, tx, user, currentToken)
+			if terr != nil {
+				return terr
+			}
+
+			issuedRefreshToken = refreshToken.Token
 		}
+
 		aal, _, terr := session.CalculateAALAndAMR(user)
 		if terr != nil {
 			return terr
@@ -362,7 +389,7 @@ func (a *API) updateMFASessionAndClaims(r *http.Request, tx *storage.Connection,
 		TokenType:    "bearer",
 		ExpiresIn:    config.JWT.Exp,
 		ExpiresAt:    expiresAt,
-		RefreshToken: refreshToken.Token,
+		RefreshToken: issuedRefreshToken,
 		User:         user,
 	}, nil
 }
