After successful MFA code verification, onMfaVerified() called
authStore.initialize() which returned immediately (isInitialized
was already true from the initial page load). The auth store was
never populated with user data, so the router guard saw
isAuthenticated === false and redirected back to /login — leaving
the user stuck on the MFA challenge screen with a consumed session.
Fix: use authStore.refreshUser() instead of initialize(). This
always calls GET /auth/me (using the new auth cookie from the MFA
verify response), populates the store, and then navigation to the
dashboard succeeds.
The portal login already uses authStore.fetchUser() which has no
isInitialized guard, so it was not affected.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bert.hausmans
50e2c31dd9