- Email 2FA is now optional and disabled by default.

Existing and new accounts default to 2FA off.
Registration signs users in directly.
Users can enable it under My Account.
Administrators can manage it under Users & Staff.
Verified password-only and opted-in email-code login flows.
PHP/JavaScript checks and browser console passed.
This commit is contained in:
Ty Clifford
2026-06-10 16:40:22 -04:00
parent 34ca1be9b7
commit 45ef31e61f
10 changed files with 74 additions and 30 deletions
+2 -3
View File
@@ -40,14 +40,14 @@ final class Auth
{
session_regenerate_id(true);
$_SESSION['user_id'] = (int) $user['id'];
unset($_SESSION['pending_2fa_user_id']);
unset($_SESSION['pending_2fa_user_id'], $_SESSION['pending_verification_purpose']);
$this->resolved = true;
$this->cachedUser = $user;
}
public function logout(): void
{
unset($_SESSION['user_id'], $_SESSION['pending_2fa_user_id']);
unset($_SESSION['user_id'], $_SESSION['pending_2fa_user_id'], $_SESSION['pending_verification_purpose']);
session_regenerate_id(true);
$this->resolved = true;
$this->cachedUser = null;
@@ -81,4 +81,3 @@ final class Auth
return $user;
}
}