Add reject_access_due_to_2fa_for_org function

[WcaleNieWolny]

Summary

Adds a new database function reject_access_due_to_2fa_for_org for checking 2FA enforcement at the organization level. This function respects org-limited API keys and properly validates that API keys are allowed to access the specific organization being queried.

Test plan

• All 14 new tests pass, covering JWT auth, API key auth, org-limited API key access control, and edge cases
• Run with: supabase test db
• All 804 existing tests continue to pass

Checklist

• My code follows the code style of this project
• I have adequate test coverage (14 new tests)
• All tests pass locally

Motivation

It turns out that even with the best plan in the world (#1291), 3 PRs that do nothing but add DB code (#1311, #1310, #1300) getting all the functions I need for the CLI to work in advance is not easy. I forgot to do public reject_access_due_to_2fa_for_org, so here we go. 4th PR for the 2FA enforcement

Business impact

None - another PR in the PRs required for 2FA enforcement to work

Summary by CodeRabbit

• New Features

  • Added organization-level two-factor authentication (2FA) enforcement. Organizations can now require members to enable 2FA before accessing organization resources.

• Tests

  • Comprehensive test coverage added for the new 2FA enforcement feature.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

---

Note

Adds an org-scoped 2FA access check usable by CLI/frontend.

• New public.reject_access_due_to_2fa_for_org(org_id uuid) (SECURITY DEFINER) returns true to reject or false to allow
• Validates identity via public.get_identity_org_allowed(...) to enforce org-limited API key scope
• Logic: reject if no identity; allow if org missing or not enforcing 2FA; if enforcing, require public.has_2fa_enabled(user_id)
• Grants EXECUTE to authenticated, anon, and service_role
• Adds 14 tests covering JWT auth, API key auth, org-limited keys (allowed/denied orgs), anonymity, and edge cases

^{Written by Cursor Bugbot for commit 6a12b49. This will update automatically on new commits. Configure here.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a SECURITY DEFINER SQL function public.reject_access_due_to_2fa_for_org(org_id uuid) that evaluates org-level 2FA enforcement and the caller's 2FA status, returning a boolean to allow or reject access; includes grants and a 14-case test suite.

Changes

Cohort / File(s)	Summary
Core function supabase/migrations/20251230114041_reject_access_due_to_2fa_for_org.sql	Adds reject_access_due_to_2fa_for_org(org_id uuid) (plpgsql, SECURITY DEFINER, owner postgres, search_path '') that: fetches current identity via public.get_identity_org_allowed, rejects if no identity, reads public.orgs.enforcing_2fa, returns reject when org enforces 2FA and user lacks has_2fa_enabled; grants EXECUTE to authenticated, anon, and service_role.
Tests supabase/tests/42_test_reject_access_due_to_2fa_for_org.sql	New test script creating users, orgs (enforcing/non-enforcing), MFA factor, API keys (including org-limited), and 14 assertions covering combinations of user 2FA state, org enforcement, API-key contexts, non-existent org, anonymous and service role access; ends with rollback.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant DB_Function as reject_access_due_to_2fa_for_org()
  participant IdentityFn as public.get_identity_org_allowed()
  participant Orgs as public.orgs

  Client->>DB_Function: call(org_id)
  DB_Function->>IdentityFn: get_identity(org_id, key_modes...)
  IdentityFn-->>DB_Function: identity or null
  alt no identity
    DB_Function-->>Client: RETURN true  /* reject access */
  else identity found
    DB_Function->>Orgs: SELECT enforcing_2fa FROM orgs WHERE id=org_id
    Orgs-->>DB_Function: enforcing_2fa value or null
    alt org not found or enforcing_2fa = false
      DB_Function-->>Client: RETURN false /* allow */
    else enforcing_2fa = true
      alt identity.has_2fa_enabled = true
        DB_Function-->>Client: RETURN false /* allow */
      else
        DB_Function-->>Client: RETURN true  /* reject */
      end
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: reject_access_due_to_2fa_for_app #1310: Adds a similar SECURITY DEFINER function for app-level 2FA enforcement (reject_access_due_to_2fa_for_app) with matching grants and tests.
• feat: 2FA enforcement - database #1300: Introduces overlapping org-level 2FA enforcement logic and related DB identity/2FA checks used by this function.

Poem

🐇 A rabbit hopped into the DB night,

"Is two‑factor on? I'll guard it right."
If org says yes and your keys are bare,
I'll bounce you gently — security's fair. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a new database function for 2FA access control at the organization level.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description includes all required sections: summary, test plan, and checklist with verification items marked complete.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud