This will fix the bug reported here on Meta
The second factor management page has previously included a “Disable” button. Selecting this button brings up a confirmation:
Instead of disabling all registered TOTP Authenticators and Security Keys, confirming only disables all TOTP Authenticators.
This PR will change the “Disable” button on the second factor management page to say “Disable All,” and make a few styling/copy improvements to the confirmation:
It also fixes the behavior so that all second factor methods are removed when using the “Disable All” button.
The test was tricky and takes heavy inspirations from other tests. I imagine there may be a more elegant or complete implementation, but I’m pretty sure I have the most important functionality tested. If I need to make any changes, let me know.
Both second factor methods can be disabled individually instead of using the “Disable All” button using the pencil icon buttons showing in the above screenshot. What I came to realize is that the implementation for individual disabling is quite different than the disable all method. The “Disable All” button deletes the relevant
user_security_keysrecords from the database, whereas disabling the second factors individually sets
enabled: falsein the relevant record and keeps it around. This is not new behavior and nothing is technically broken, I just wanted to bring it up in case we might want to have consistency. If anything needs to change, I imagine it can be addressed in a follow-up commit.