Skip to content

Require email confirmation for TOTP-based logins #18689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Require email confirmation for TOTP-based logins #18689

wants to merge 19 commits into from

Conversation

@di
Copy link
Member

@di di commented Sep 12, 2025

Fixes #18425.

This PR maintains a record of device information across logins for each user:

  • For TOTP logins, confirmation via a link sent to the primary email is required for each new device;
  • For non-TOTP logins, no confirmation is required.

@di di requested a review from a team as a code owner September 12, 2025 17:11
miketheman
miketheman reviewed Sep 17, 2025
View reviewed changes
Copy link
Member

@miketheman miketheman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of comments inline. Let me know if they need further details.

Aside: I wonder if there's an opportunity to use these kinds of "annoying" interactions to push webauthn more, but I still want that to be a smoother experience.

di
di commented Sep 18, 2025
View reviewed changes
@di di requested a review from miketheman September 24, 2025 11:02
miketheman
miketheman previously requested changes Oct 14, 2025
View reviewed changes
Copy link
Member

@miketheman miketheman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the migration needing a rebase, I think this looks good to me - I'd prefer if at least one other admin reviews as well.

@di di requested review from ewdurbin and miketheman October 14, 2025 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewdurbin ewdurbin Awaiting requested review from ewdurbin

@miketheman miketheman Awaiting requested review from miketheman

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Email confirmation for TOTP-based logins

2 participants

@di @miketheman