You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hide the Two Factor Authentication section on the Profile settings page when AUTH_TYPE=SSO.
Hide the Danger zone (delete account / leave workspace) section under the same condition.
Extract profile 2FA UI into ProfileTwoFactorAuthenticationSection, following the same outer/inner SSO guard pattern used by Toggle2FA and SettingsTwoFactorAuthenticationMethod.
Why
In SSO deployments, MFA and account lifecycle are owned by the identity provider. Showing Twenty's local TOTP setup and self-service account deletion on Profile is misleading — those controls don't participate in the actual login or provisioning flow.
This aligns Profile with existing SSO behavior:
Email is already read-only under SSO
Password change is already hidden under SSO
Workspace-level 2FA enforcement toggle is already hidden under SSO
Direct navigation to the 2FA setup page already redirects to Profile under SSO
Test plan
With AUTH_TYPE=SSO, open Settings → Profile and confirm Two Factor Authentication and Danger zone are not shown
With AUTH_TYPE unset or non-SSO, confirm both sections still appear
With AUTH_TYPE=SSO, navigate directly to /settings/two-factor-authentication/totp and confirm redirect to Profile still works
The implementation is clean and correct. Here's my analysis:
✅ What looks good:
Outer/inner guard pattern – ProfileTwoFactorAuthenticationSection correctly follows the same pattern used by Toggle2FA and SettingsTwoFactorAuthenticationMethod. The outer component calls useIsSsoEnabled() and bails out before inner hooks (like useCurrentUserWorkspaceTwoFactorAuthentication) run — preventing hook-order issues and unnecessary Apollo/context requirements.
SSO guard on DeleteAccount in SettingsProfile.tsx via !isSsoEnabled is minimal and correct.
Cleanup – Unused imports (SettingsCard, IconShield, Status, UndecoratedLink, useCurrentUserWorkspaceTwoFactorAuthentication) are properly removed from SettingsProfile.tsx.
Comments explain WHY (IdP owns MFA, dead controls), consistent with existing codebase style.
Test covers the key invariant: SSO enabled → null returned, inner hook never invoked.
⚠️ Minor observations (non-blocking):
The test only covers the SSO-on branch (the SSO-off path requires providers and is noted as out of scope — acceptable for a unit test of this pattern).
Import order in SettingsProfile.tsx: useIsSsoEnabled from @/auth/hooks is inserted after currentWorkspaceMemberState from @/auth/states. Alphabetically hooks comes before states, so it's slightly inconsistent, but this is cosmetic.
CI status: All functional CI checks (CI Front, CI Server, CI Shared, etc.) pass. The two failures (Preview Environment Dispatch, PR Review Dispatch) are infrastructure/deployment workflows, not test failures, and are unrelated to these changes.
Overall the implementation is solid — no functional issues found. ✅
�[31mError: �[39m SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
at JSON.parse (<anonymous>)
�[90m at parseJSONFromBytes (node:internal/deps/undici/undici:4319:19)�[39m
�[90m at successSteps (node:internal/deps/undici/undici:6967:27)�[39m
�[90m at readAllBytes (node:internal/deps/undici/undici:5890:13)�[39m
�[90m at process.processTicksAndRejections (node:internal/process/task_queues:104:5)�[39m
danger-results://tmp/danger-results-fb7b2293.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AUTH_TYPE=SSO.ProfileTwoFactorAuthenticationSection, following the same outer/inner SSO guard pattern used byToggle2FAandSettingsTwoFactorAuthenticationMethod.Why
In SSO deployments, MFA and account lifecycle are owned by the identity provider. Showing Twenty's local TOTP setup and self-service account deletion on Profile is misleading — those controls don't participate in the actual login or provisioning flow.
This aligns Profile with existing SSO behavior:
Test plan
AUTH_TYPE=SSO, open Settings → Profile and confirm Two Factor Authentication and Danger zone are not shownAUTH_TYPEunset or non-SSO, confirm both sections still appearAUTH_TYPE=SSO, navigate directly to/settings/two-factor-authentication/totpand confirm redirect to Profile still works