Add challenge to 2FA settings, e-mail notifications #11878
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #3961
Adds a "challenge" page which asks for current password if the user has a password. If the challenge is passed, that is remembered for the next hour so the user is not asked again.
This is added on top of:
There are a few other places that ask for confirmation using different UX, most notably account settings (e-mail/password) and account deletion, but it probably makes sense to keep those as they are now.
Changes "Generate recovery codes" link from looking like a text link to looking like a button to make it clearer that it's an action rather than just a page to be viewed.
Adds e-mail notifications about changes to 2FA settings and recovery code re-generation.