feat: password reauthentication for documents and recipients (#1827)

Adds password reauthentication to our existing reauth providers, additionally swaps from an exclusive provider to an inclusive type where multiple methods can be selected to offer a this or that experience.
2025-11-22 12:41:36 +10:00 · 2025-06-07 00:27:19 +10:00
parent ce66da0055
commit 55c8632620
62 changed files with 985 additions and 466 deletions
--- a/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
@ -68,9 +68,9 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    }),
  ]);

-  const isAccessAuthValid = match(derivedRecipientAccessAuth)
-    .with(DocumentAccessAuth.ACCOUNT, () => user !== null)
-    .with(null, () => true)
+  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
+    .with(DocumentAccessAuth.ACCOUNT, () => !!user)
+    .with(undefined, () => true)
    .exhaustive();

  if (!isAccessAuthValid) {
--- a/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
@ -81,9 +81,9 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    documentAuth: document.authOptions,
  });

-  const isAccessAuthValid = match(derivedRecipientAccessAuth)
-    .with(DocumentAccessAuth.ACCOUNT, () => user !== null)
-    .with(null, () => true)
+  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
+    .with(DocumentAccessAuth.ACCOUNT, () => user && user.email === recipient.email)
+    .with(undefined, () => true)
    .exhaustive();

  if (!isAccessAuthValid) {
--- a/apps/remix/app/routes/embed+/v1+/multisign+/_index.tsx
+++ b/apps/remix/app/routes/embed+/v1+/multisign+/_index.tsx
@ -38,8 +38,6 @@ export async function loader({ request }: Route.LoaderArgs) {

      const recipient = await getRecipientByToken({ token });

-      console.log('document', document.id);
-
      return { document, recipient };
    }),
  );