Ability to reset recovery codes

[brynwhyman]

As a CMS user with a registered MFA method, I want the ability to reset my recovery codes, so that if I loose them or if they are compromised I can access a new and secure set.

Backend work implemented in #4

ACs

• Invokes the new modal, implemented in MFA in the CMS (create the modal) #46
• There is the ability to reset recovery codes through the CMS member security form via a 'Reset recovery codes' action.
• Selecting the 'Reset recovery codes' action presents a warning dialog to reset the codes.
• Recovery codes can only be reset by the member which they are associated to.
• On reset, the new recovery codes are displayed using the components created for the registration screen in Add back up code method - registration frontend #13
• There is a button to download the codes using JavaScript.
• There is a button to copy the codes to the clipboard.

Designs

• https://projects.invisionapp.com/share/3PNSKZQYBJZ#/screens/321186218 (reusing existing recovery code screen)
• https://projects.invisionapp.com/share/3PNSKZQYBJZ#/screens/350729097 (warning dialog)

[robbieaverill]

We will need to add another audit hook for resetting backup codes when we do this. There's already one for registering backup codes as a method - we could either treat this as any other method (as it currently is) and log removal and registration of methods generally, or make a specific entry for backup codes when they are reset. You may want to know which user initiated the reset, but that could be the same for removing and registering any method - resetting backup codes is the only option that admins can perform for other users AFAIK, so might need its own hook. Anyway, keep in mind when doing this ticket.

#24

[newleeland]

resetting backup codes is the only option that admins can perform for other users AFAIK, so might need its own hook. Anyway, keep in mind when doing this ticket.

Is a new functionality we are allowing admins to do? Just thinking, by allowing admins to reset the recovery codes, ultimately gives them access reset account passwords.

[brynwhyman]

resetting backup codes is the only option that admins can perform for other users AFAIK, so might need its own hook. Anyway, keep in mind when doing this ticket.

That's not something that's been captured as a requirement before. I wouldn't expect this issue to address that either. To be clear, this issue already has the following AC:

Recovery codes can only be reset by the member which they are associated to.

[brynwhyman]

This work should be covered in the mammoth #85. @ScopeyNZ can confirm when it's been merged. Have a read of the ACs now to check you've covered everything.

[ScopeyNZ]

Covered in #128