feat: support 2fa for document completion (#2063)

Adds support for 2FA when completing a document, also adds support for using email for 2FA when no authenticator has been associated with the account.
2025-11-20 11:41:44 +10:00 · 2025-10-06 16:17:54 +11:00
parent 3467317271
commit 995bc9c362
31 changed files with 1300 additions and 260 deletions
--- a/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
@ -58,10 +58,12 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    documentAuth: template.authOptions,
  });

-  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
-    .with(DocumentAccessAuth.ACCOUNT, () => !!user)
-    .with(undefined, () => true)
-    .exhaustive();
+  const isAccessAuthValid = derivedRecipientAccessAuth.every((auth) =>
+    match(auth)
+      .with(DocumentAccessAuth.ACCOUNT, () => !!user)
+      .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => false) // Not supported for direct links
+      .exhaustive(),
+  );

  if (!isAccessAuthValid) {
    throw data(
--- a/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
@ -75,10 +75,12 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    documentAuth: document.authOptions,
  });

-  const isAccessAuthValid = match(derivedRecipientAccessAuth.at(0))
-    .with(DocumentAccessAuth.ACCOUNT, () => user && user.email === recipient.email)
-    .with(undefined, () => true)
-    .exhaustive();
+  const isAccessAuthValid = derivedRecipientAccessAuth.every((accesssAuth) =>
+    match(accesssAuth)
+      .with(DocumentAccessAuth.ACCOUNT, () => user && user.email === recipient.email)
+      .with(DocumentAccessAuth.TWO_FACTOR_AUTH, () => true) // Allow without account requirement
+      .exhaustive(),
+  );

  if (!isAccessAuthValid) {
    throw data(