AshAuthentication.Strategy.Totp.ConfirmSetupChange (ash_authentication v5.0.0-rc.4)

Copy Markdown View Source

Confirms a pending TOTP setup by verifying a code and storing the secret.

This change is used when confirm_setup_enabled? is true. It:

  1. Validates the TOTP code format (6 digits)
  2. Verifies the setup_token JWT
  3. Retrieves the pending secret from the token resource
  4. Verifies the TOTP code against the secret
  5. Stores the secret on the user
  6. Revokes the setup token (after successful storage)

Token revocation is performed after the secret is stored to avoid losing the token if storage fails for any reason.

This ensures the user has correctly saved their TOTP secret before it's activated.