Major 2FA improvements + Change Email support (finally)

[kentcdodds]

I spent a lot of time looking at how we manage email/account ownership verification in the Epic Stack. In the process, I've come up with an abstraction I'm pretty happy with. Eventually this can hopefully turn into a library (I think React Server Components support in Remix will make doing that much easier).

Now we have an established pattern for re-verifying the user when they perform destructive actions. So when the user wishes to disable 2FA, they're required to supply their 2FA code to do so.

Additionally, I've (finally) added support for changing user email. Read the change email decision document here

In the process of building the change email flow, I also (finally again) added support for tracking how recently the user entered their 2FA code and requiring the user to enter it again if it's been over 2 hours whenever performing destructive actions like disabling 2FA and changing their email.

Hopefully this serves as a good example for folks who want to have a 2FA verification process for other destructive operations in their apps.

Unfortunately this change involved a pretty significant change to how verification works in the Epic Stack. No database migrations were necessary, but I moved around a lot of code.

Oh, I also added documentation on 2FA and verification in the security docs.

Enjoy!

[cr101]

Thank you. Will there be an issue if a user logs in using a third-party identity provider (i.e Github) and then changes the email address?

[kentcdodds]

Yes. The way it's implemented currently doesn't store anything about the specific user account from GitHub. So the only connection of accounts is in the email address. If you'd like to connect them differently, you'll need to have a place to store the github user ID and associate it with the user.