fix: merge conflicts

Merge branch 'main' into feat/document-2fa-redo
fix: remove multiselect for auth select
2025-11-12 15:53:02 +10:00 · 2025-08-14 22:13:19 +00:00 · 2025-08-01 09:00:30 +00:00 · 2025-07-22 15:18:40 +00:00 · 2025-07-22 14:08:03 +00:00
30 changed files with 831 additions and 196 deletions
--- a/apps/remix/app/components/general/document-signing/document-signing-auth-2fa.tsx
+++ b/apps/remix/app/components/general/document-signing/document-signing-auth-2fa.tsx
@ -1,4 +1,4 @@
-import { useEffect, useState } from 'react';
+import { useEffect, useRef, useState } from 'react';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { Trans } from '@lingui/react/macro';
@ -6,9 +6,9 @@ import { RecipientRole } from '@prisma/client';
 import { useForm } from 'react-hook-form';
 import { z } from 'zod';
 import { AppError } from '@documenso/lib/errors/app-error';
 import { DocumentAuth, type TRecipientActionAuth } from '@documenso/lib/types/document-auth';
-import { Alert, AlertDescription, AlertTitle } from '@documenso/ui/primitives/alert';
+import { trpc } from '@documenso/trpc/react';
 import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
 import { Button } from '@documenso/ui/primitives/button';
 import { DialogFooter } from '@documenso/ui/primitives/dialog';
 import {
@ -20,6 +20,8 @@ import {
  FormMessage,
 } from '@documenso/ui/primitives/form/form';
 import { PinInput, PinInputGroup, PinInputSlot } from '@documenso/ui/primitives/pin-input';
 import { Tabs, TabsList, TabsTrigger } from '@documenso/ui/primitives/tabs';
 import { useToast } from '@documenso/ui/primitives/use-toast';
 import { EnableAuthenticatorAppDialog } from '~/components/forms/2fa/enable-authenticator-app-dialog';
@ -51,6 +53,7 @@ export const DocumentSigningAuth2FA = ({
 }: DocumentSigningAuth2FAProps) => {
  const { recipient, user, isCurrentlyAuthenticating, setIsCurrentlyAuthenticating } =
    useRequiredDocumentSigningAuthContext();
  const { toast } = useToast();
  const form = useForm<T2FAAuthFormSchema>({
    resolver: zodResolver(Z2FAAuthFormSchema),
@ -60,27 +63,104 @@ export const DocumentSigningAuth2FA = ({
  });
  const [is2FASetupSuccessful, setIs2FASetupSuccessful] = useState(false);
-  const [formErrorCode, setFormErrorCode] = useState<string | null>(null);
+  const [isEmailCodeSent, setIsEmailCodeSent] = useState(false);
  const [isEmailCodeSending, setIsEmailCodeSending] = useState(false);
  const [canResendEmail, setCanResendEmail] = useState(true);
  const [resendCountdown, setResendCountdown] = useState(0);
  const countdownTimerRef = useRef<NodeJS.Timeout | null>(null);
  const [verificationMethod, setVerificationMethod] = useState<'app' | 'email'>(
    user?.twoFactorEnabled ? 'app' : 'email',
  );
  const emailSendInitiatedRef = useRef(false);
  const sendVerificationMutation = trpc.auth.sendEmailVerification.useMutation({
    onSuccess: () => {
      setIsEmailCodeSent(true);
      setCanResendEmail(false);
      setResendCountdown(60);
      countdownTimerRef.current = setInterval(() => {
        setResendCountdown((prev) => {
          if (prev <= 1) {
            if (countdownTimerRef.current) {
              clearInterval(countdownTimerRef.current);
            }
            setCanResendEmail(true);
            return 0;
          }
          return prev - 1;
        });
      }, 1000);
      toast({
        title: 'Verification code sent',
        description: `A verification code has been sent to ${recipient.email}`,
      });
    },
    onError: (error) => {
      console.error('Failed to send verification code', error);
      toast({
        title: 'Failed to send verification code',
        description: 'Please try again or contact support',
        variant: 'destructive',
      });
    },
    onSettled: () => {
      setIsEmailCodeSending(false);
    },
  });
  const verifyCodeMutation = trpc.auth.verifyEmailCode.useMutation();
  const sendEmailVerificationCode = async () => {
    try {
      setIsEmailCodeSending(true);
      await sendVerificationMutation.mutateAsync({
        recipientId: recipient.id,
      });
    } catch (error) {
      toast({
        title: 'Failed to send verification code',
        description: 'Please try again.',
        variant: 'destructive',
      });
    }
  };
  useEffect(() => {
    return () => {
      if (countdownTimerRef.current) {
        clearInterval(countdownTimerRef.current);
      }
    };
  }, []);
  const onFormSubmit = async ({ token }: T2FAAuthFormSchema) => {
    try {
      setIsCurrentlyAuthenticating(true);
      if (verificationMethod === 'email') {
        await verifyCodeMutation.mutateAsync({
          code: token,
          recipientId: recipient.id,
        });
      }
      await onReauthFormSubmit({
        type: DocumentAuth.TWO_FACTOR_AUTH,
        token,
      });
      setIsCurrentlyAuthenticating(false);
      onOpenChange(false);
    } catch (err) {
      setIsCurrentlyAuthenticating(false);
-      const error = AppError.parseError(err);
+      toast({
-      setFormErrorCode(error.code);
+        title: 'Unauthorized',
-
+        description: 'We were unable to verify your details.',
-      // Todo: Alert.
+        variant: 'destructive',
      });
    }
  };
@ -90,21 +170,46 @@ export const DocumentSigningAuth2FA = ({
    });
    setIs2FASetupSuccessful(false);
-    setFormErrorCode(null);
+    setIsEmailCodeSent(false);
-    // eslint-disable-next-line react-hooks/exhaustive-deps
+    if (open && !user?.twoFactorEnabled) {
-  }, [open]);
+      setVerificationMethod('email');
    }
  }, [open, user?.twoFactorEnabled, form]);
-  if (!user?.twoFactorEnabled && !is2FASetupSuccessful) {
+  useEffect(() => {
    if (!open || verificationMethod !== 'email') {
      emailSendInitiatedRef.current = false;
    }
  }, [open, verificationMethod]);
  useEffect(() => {
    if (open && verificationMethod === 'email' && !isEmailCodeSent && !isEmailCodeSending) {
      if (!emailSendInitiatedRef.current) {
        emailSendInitiatedRef.current = true;
        void sendEmailVerificationCode();
      }
    }
  }, [open, verificationMethod, isEmailCodeSent, isEmailCodeSending]);
  if (verificationMethod === 'app' && !user?.twoFactorEnabled && !is2FASetupSuccessful) {
    return (
      <div className="space-y-4">
        <Tabs
          value={verificationMethod}
          onValueChange={(val) => setVerificationMethod(val as 'app' | 'email')}
        >
          <TabsList className="grid w-full grid-cols-2">
            <TabsTrigger value="app">Authenticator App</TabsTrigger>
            <TabsTrigger value="email">Email Verification</TabsTrigger>
          </TabsList>
        </Tabs>
        <Alert variant="warning">
          <AlertDescription>
            <p>
              {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT' ? (
                <Trans>You need to setup 2FA to mark this document as viewed.</Trans>
              ) : (
                // Todo: Translate
                `You need to setup 2FA to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`
              )}
            </p>
@ -129,59 +234,106 @@ export const DocumentSigningAuth2FA = ({
  }
  return (
-    <Form {...form}>
+    <div className="space-y-4">
-      <form onSubmit={form.handleSubmit(onFormSubmit)}>
+      {user?.twoFactorEnabled && (
-        <fieldset disabled={isCurrentlyAuthenticating}>
+        <Tabs
-          <div className="space-y-4">
+          value={verificationMethod}
-            <FormField
+          onValueChange={(val) => setVerificationMethod(val as 'app' | 'email')}
-              control={form.control}
+        >
-              name="token"
+          <TabsList className="grid w-full grid-cols-2">
-              render={({ field }) => (
+            <TabsTrigger value="app">Authenticator App</TabsTrigger>
-                <FormItem>
+            <TabsTrigger value="email">Email Verification</TabsTrigger>
-                  <FormLabel required>2FA token</FormLabel>
+          </TabsList>
        </Tabs>
      )}
-                  <FormControl>
+      {verificationMethod === 'email' && (
-                    <PinInput {...field} value={field.value ?? ''} maxLength={6}>
+        <Alert variant="secondary">
-                      {Array(6)
+          <AlertDescription>
-                        .fill(null)
+            {isEmailCodeSent ? (
-                        .map((_, i) => (
+              <p>
-                          <PinInputGroup key={i}>
+                <Trans>
-                            <PinInputSlot index={i} />
+                  A verification code has been sent to {recipient.email}. Please enter it below to
-                          </PinInputGroup>
+                  continue.
-                        ))}
+                </Trans>
-                    </PinInput>
+              </p>
-                  </FormControl>
+            ) : (
-
+              <p>
-                  <FormMessage />
+                <Trans>
-                </FormItem>
+                  We'll send a verification code to {recipient.email} to verify your identity.
-              )}
+                </Trans>
-            />
+              </p>
            {formErrorCode && (
              <Alert variant="destructive">
                <AlertTitle>
                  <Trans>Unauthorized</Trans>
                </AlertTitle>
                <AlertDescription>
                  <Trans>
                    We were unable to verify your details. Please try again or contact support
                  </Trans>
                </AlertDescription>
              </Alert>
            )}
          </AlertDescription>
        </Alert>
      )}
-            <DialogFooter>
+      <Form {...form}>
-              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
+        <form onSubmit={form.handleSubmit(onFormSubmit)}>
-                <Trans>Cancel</Trans>
+          <fieldset disabled={isCurrentlyAuthenticating}>
-              </Button>
+            <div className="space-y-4">
              <FormField
                control={form.control}
                name="token"
                render={({ field }) => (
                  <FormItem>
                    <FormLabel required>
                      {verificationMethod === 'app' ? (
                        <Trans>2FA token</Trans>
                      ) : (
                        <Trans>Verification code</Trans>
                      )}
                    </FormLabel>
-              <Button type="submit" loading={isCurrentlyAuthenticating}>
+                    <FormControl>
-                <Trans>Sign</Trans>
+                      <PinInput {...field} value={field.value ?? ''} maxLength={6}>
-              </Button>
+                        {Array(6)
-            </DialogFooter>
+                          .fill(null)
-          </div>
+                          .map((_, i) => (
-        </fieldset>
+                            <PinInputGroup key={i}>
-      </form>
+                              <PinInputSlot index={i} />
-    </Form>
+                            </PinInputGroup>
                          ))}
                      </PinInput>
                    </FormControl>
                    <FormMessage />
                  </FormItem>
                )}
              />
              {verificationMethod === 'email' && (
                <div className="flex justify-center">
                  <Button
                    type="button"
                    variant="link"
                    disabled={isEmailCodeSending || !canResendEmail}
                    onClick={() => void sendEmailVerificationCode()}
                  >
                    {isEmailCodeSending ? (
                      <Trans>Sending...</Trans>
                    ) : !canResendEmail ? (
                      <Trans>Resend code ({resendCountdown}s)</Trans>
                    ) : (
                      <Trans>Resend code</Trans>
                    )}
                  </Button>
                </div>
              )}
              <DialogFooter>
                <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
                  <Trans>Cancel</Trans>
                </Button>
                <Button type="submit" loading={isCurrentlyAuthenticating}>
                  <Trans>{actionTarget === 'DOCUMENT' ? 'Sign Document' : 'Sign Field'}</Trans>
                </Button>
              </DialogFooter>
            </div>
          </fieldset>
        </form>
      </Form>
    </div>
  );
 };
--- a/apps/remix/app/components/general/document-signing/document-signing-auth-dialog.tsx
+++ b/apps/remix/app/components/general/document-signing/document-signing-auth-dialog.tsx
@ -43,6 +43,7 @@ export const DocumentSigningAuthDialog = ({
  title,
  description,
  availableAuthTypes,
  actionTarget,
  open,
  onOpenChange,
  onReauthFormSubmit,
@ -107,15 +108,32 @@ export const DocumentSigningAuthDialog = ({
                >
                  <ChevronLeftIcon className="h-4 w-4" />
                </Button>
-                <span>{title || <Trans>Sign field</Trans>}</span>
+                <span>
                  {title ||
                    (actionTarget === 'DOCUMENT' ? (
                      <Trans>Sign document</Trans>
                    ) : (
                      <Trans>Sign field</Trans>
                    ))}
                </span>
              </div>
            )}
            {(!selectedAuthType || validAuthTypes.length === 1) &&
-              (title || <Trans>Sign field</Trans>)}
+              (title ||
                (actionTarget === 'DOCUMENT' ? (
                  <Trans>Sign document</Trans>
                ) : (
                  <Trans>Sign field</Trans>
                )))}
          </DialogTitle>
          <DialogDescription>
-            {description || <Trans>Reauthentication is required to sign this field</Trans>}
+            {description || (
              <Trans>
                Reauthentication is required to sign this{' '}
                {actionTarget === 'DOCUMENT' ? 'document' : 'field'}
              </Trans>
            )}
          </DialogDescription>
        </DialogHeader>
@ -180,6 +198,7 @@ export const DocumentSigningAuthDialog = ({
            ))
            .with({ documentAuthType: DocumentAuth.TWO_FACTOR_AUTH }, () => (
              <DocumentSigningAuth2FA
                actionTarget={actionTarget === 'DOCUMENT' ? 'DOCUMENT' : 'FIELD'}
                open={open}
                onOpenChange={onOpenChange}
                onReauthFormSubmit={onReauthFormSubmit}
--- a/apps/remix/app/components/general/document-signing/document-signing-auth-provider.tsx
+++ b/apps/remix/app/components/general/document-signing/document-signing-auth-provider.tsx
@ -42,6 +42,7 @@ export type DocumentSigningAuthContextValue = {
  setPreferredPasskeyId: (_value: string | null) => void;
  user?: SessionUser | null;
  refetchPasskeys: () => Promise<void>;
  isEnterprise: boolean;
 };
 const DocumentSigningAuthContext = createContext<DocumentSigningAuthContextValue | null>(null);
@ -65,6 +66,7 @@ export interface DocumentSigningAuthProviderProps {
  recipient: Recipient;
  user?: SessionUser | null;
  children: React.ReactNode;
  isEnterprise: boolean;
 }
 export const DocumentSigningAuthProvider = ({
@ -72,6 +74,7 @@ export const DocumentSigningAuthProvider = ({
  recipient: initialRecipient,
  user,
  children,
  isEnterprise,
 }: DocumentSigningAuthProviderProps) => {
  const [documentAuthOptions, setDocumentAuthOptions] = useState(initialDocumentAuthOptions);
  const [recipient, setRecipient] = useState(initialRecipient);
@ -144,8 +147,13 @@ export const DocumentSigningAuthProvider = ({
  }, [derivedRecipientActionAuth, user, recipient]);
  const executeActionAuthProcedure = async (options: ExecuteActionAuthProcedureOptions) => {
-    // Directly run callback if no auth required.
+    // Determine if authentication is required based on enterprise status and action target.
-    if (!derivedRecipientActionAuth || options.actionTarget !== FieldType.SIGNATURE) {
+    const requiresAuthTrigger = isEnterprise
      ? derivedRecipientActionAuth && options.actionTarget === FieldType.SIGNATURE
      : derivedRecipientActionAuth && options.actionTarget === 'DOCUMENT';
    // Directly run callback if no auth trigger is needed.
    if (!requiresAuthTrigger) {
      await options.onReauthFormSubmit();
      return;
    }
@ -205,6 +213,7 @@ export const DocumentSigningAuthProvider = ({
        preferredPasskeyId,
        setPreferredPasskeyId,
        refetchPasskeys,
        isEnterprise,
      }}
    >
      {children}
@ -225,6 +234,8 @@ export const DocumentSigningAuthProvider = ({
 type ExecuteActionAuthProcedureOptions = Omit<
  DocumentSigningAuthDialogProps,
  'open' | 'onOpenChange' | 'documentAuthType' | 'recipientRole' | 'availableAuthTypes'
->;
+> & {
  actionTarget: FieldType | 'DOCUMENT';
 };
 DocumentSigningAuthProvider.displayName = 'DocumentSigningAuthProvider';
--- a/apps/remix/app/components/general/document-signing/document-signing-form.tsx
+++ b/apps/remix/app/components/general/document-signing/document-signing-form.tsx
@ -27,6 +27,7 @@ import {
  AssistantConfirmationDialog,
  type NextSigner,
 } from '../../dialogs/assistant-confirmation-dialog';
 import { useRequiredDocumentSigningAuthContext } from './document-signing-auth-provider';
 import { DocumentSigningCompleteDialog } from './document-signing-complete-dialog';
 import { useRequiredDocumentSigningContext } from './document-signing-provider';
@ -38,6 +39,7 @@ export type DocumentSigningFormProps = {
  isRecipientsTurn: boolean;
  allRecipients?: RecipientWithFields[];
  setSelectedSignerId?: (id: number | null) => void;
  isEnterprise: boolean;
 };
 export const DocumentSigningForm = ({
@ -48,6 +50,7 @@ export const DocumentSigningForm = ({
  isRecipientsTurn,
  allRecipients = [],
  setSelectedSignerId,
  isEnterprise,
 }: DocumentSigningFormProps) => {
  const { sessionData } = useOptionalSession();
  const user = sessionData?.user;
@ -61,6 +64,7 @@ export const DocumentSigningForm = ({
  const assistantSignersId = useId();
  const { fullName, signature, setFullName, setSignature } = useRequiredDocumentSigningContext();
  const { executeActionAuthProcedure } = useRequiredDocumentSigningAuthContext();
  const [validateUninsertedFields, setValidateUninsertedFields] = useState(false);
  const [isConfirmationDialogOpen, setIsConfirmationDialogOpen] = useState(false);
@ -113,11 +117,16 @@ export const DocumentSigningForm = ({
    setIsAssistantSubmitting(true);
    try {
-      await completeDocument(undefined, nextSigner);
+      await executeActionAuthProcedure({
        actionTarget: 'DOCUMENT',
        onReauthFormSubmit: async (authOptions) => {
          await completeDocument(authOptions, nextSigner);
        },
      });
    } catch (err) {
      toast({
-        title: 'Error',
+        title: _(msg`Error`),
-        description: 'An error occurred while completing the document. Please try again.',
+        description: _(msg`An error occurred while completing the document. Please try again.`),
        variant: 'destructive',
      });
@ -207,7 +216,12 @@ export const DocumentSigningForm = ({
                    fields={fields}
                    fieldsValidated={fieldsValidated}
                    onSignatureComplete={async (nextSigner) => {
-                      await completeDocument(undefined, nextSigner);
+                      await executeActionAuthProcedure({
                        actionTarget: 'DOCUMENT',
                        onReauthFormSubmit: async (authOptions) => {
                          await completeDocument(authOptions, nextSigner);
                        },
                      });
                    }}
                    role={recipient.role}
                    allowDictateNextSigner={document.documentMeta?.allowDictateNextSigner}
@ -367,7 +381,12 @@ export const DocumentSigningForm = ({
                  fieldsValidated={fieldsValidated}
                  disabled={!isRecipientsTurn}
                  onSignatureComplete={async (nextSigner) => {
-                    await completeDocument(undefined, nextSigner);
+                    await executeActionAuthProcedure({
                      actionTarget: 'DOCUMENT',
                      onReauthFormSubmit: async (authOptions) => {
                        await completeDocument(authOptions, nextSigner);
                      },
                    });
                  }}
                  role={recipient.role}
                  allowDictateNextSigner={
--- a/apps/remix/app/components/general/document-signing/document-signing-page-view.tsx
+++ b/apps/remix/app/components/general/document-signing/document-signing-page-view.tsx
@ -50,6 +50,7 @@ export type DocumentSigningPageViewProps = {
  isRecipientsTurn: boolean;
  allRecipients?: RecipientWithFields[];
  includeSenderDetails: boolean;
  isEnterprise: boolean;
 };
 export const DocumentSigningPageView = ({
@ -60,6 +61,7 @@ export const DocumentSigningPageView = ({
  isRecipientsTurn,
  allRecipients = [],
  includeSenderDetails,
  isEnterprise,
 }: DocumentSigningPageViewProps) => {
  const { documentData, documentMeta } = document;
@ -208,6 +210,7 @@ export const DocumentSigningPageView = ({
                  isRecipientsTurn={isRecipientsTurn}
                  allRecipients={allRecipients}
                  setSelectedSignerId={setSelectedSignerId}
                  isEnterprise={isEnterprise}
                />
              </div>
            </div>
--- a/apps/remix/app/components/general/template/template-edit-form.tsx
+++ b/apps/remix/app/components/general/template/template-edit-form.tsx
@ -157,7 +157,7 @@ export const TemplateEditForm = ({
      toast({
        title: _(msg`Error`),
-        description: _(msg`An error occurred while updating the document settings.`),
+        description: _(msg`An error occurred while updating the template settings.`),
        variant: 'destructive',
      });
    }
--- a/apps/remix/app/routes/_authenticated+/t.$teamUrl+/templates._index.tsx
+++ b/apps/remix/app/routes/_authenticated+/t.$teamUrl+/templates._index.tsx
@ -9,10 +9,10 @@ import { trpc } from '@documenso/trpc/react';
 import { Avatar, AvatarFallback, AvatarImage } from '@documenso/ui/primitives/avatar';
 import { FolderGrid } from '~/components/general/folder/folder-grid';
 import { TemplateDropZoneWrapper } from '~/components/general/template/template-drop-zone-wrapper';
 import { TemplatesTable } from '~/components/tables/templates-table';
 import { useCurrentTeam } from '~/providers/team';
 import { appMetaTags } from '~/utils/meta';
 import { TemplateDropZoneWrapper } from '~/components/general/template/template-drop-zone-wrapper';
 export function meta() {
  return appMetaTags('Templates');
--- a/apps/remix/app/routes/_recipient+/d.$token+/_index.tsx
+++ b/apps/remix/app/routes/_recipient+/d.$token+/_index.tsx
@ -94,6 +94,7 @@ export default function DirectTemplatePage() {
        documentAuthOptions={template.authOptions}
        recipient={directTemplateRecipient}
        user={user}
        isEnterprise={false}
      >
        <div className="mx-auto -mt-4 w-full max-w-screen-xl px-4 md:px-8">
          <h1
--- a/apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
+++ b/apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx
@ -19,6 +19,7 @@ import { getRecipientSignatures } from '@documenso/lib/server-only/recipient/get
 import { getRecipientsForAssistant } from '@documenso/lib/server-only/recipient/get-recipients-for-assistant';
 import { getTeamSettings } from '@documenso/lib/server-only/team/get-team-settings';
 import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
 import { isUserEnterprise } from '@documenso/lib/server-only/user/is-user-enterprise';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
 import { SigningCard3D } from '@documenso/ui/components/signing-card';
@ -41,6 +42,10 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    throw new Response('Not Found', { status: 404 });
  }
  const isEnterprise = user?.id
    ? await isUserEnterprise({ userId: user.id }).catch(() => false)
    : false;
  const [document, recipient, fields, completedFields] = await Promise.all([
    getDocumentAndSenderByToken({
      token,
@ -116,6 +121,7 @@ export async function loader({ params, request }: Route.LoaderArgs) {
      isDocumentAccessValid: false,
      recipientEmail: recipient.email,
      recipientHasAccount,
      isEnterprise,
    } as const);
  }
@ -153,6 +159,7 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    recipientSignature,
    isRecipientsTurn,
    includeSenderDetails: settings.includeSenderDetails,
    isEnterprise,
  } as const);
 }
@ -181,6 +188,7 @@ export default function SigningPage() {
    allRecipients,
    includeSenderDetails,
    recipientWithFields,
    isEnterprise,
  } = data;
  if (document.deletedAt || document.status === DocumentStatus.REJECTED) {
@ -246,6 +254,7 @@ export default function SigningPage() {
        documentAuthOptions={document.authOptions}
        recipient={recipient}
        user={user}
        isEnterprise={isEnterprise}
      >
        <DocumentSigningPageView
          recipient={recipientWithFields}
@ -255,6 +264,7 @@ export default function SigningPage() {
          isRecipientsTurn={isRecipientsTurn}
          allRecipients={allRecipients}
          includeSenderDetails={includeSenderDetails}
          isEnterprise={isEnterprise}
        />
      </DocumentSigningAuthProvider>
    </DocumentSigningProvider>
--- a/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/direct.$url.tsx
@ -88,6 +88,8 @@ export async function loader({ params, request }: Route.LoaderArgs) {
  const fields = template.fields.filter((field) => field.recipientId === directTemplateRecipientId);
  const isEnterpriseDocument = Boolean(organisationClaim);
  return superLoaderJson({
    token,
    user,
@ -96,12 +98,21 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    fields,
    hidePoweredBy,
    allowEmbedSigningWhitelabel,
    isEnterpriseDocument,
  });
 }
 export default function EmbedDirectTemplatePage() {
-  const { token, user, template, recipient, fields, hidePoweredBy, allowEmbedSigningWhitelabel } =
+  const {
-    useSuperLoaderData<typeof loader>();
+    token,
    user,
    template,
    recipient,
    fields,
    hidePoweredBy,
    allowEmbedSigningWhitelabel,
    isEnterpriseDocument,
  } = useSuperLoaderData<typeof loader>();
  return (
    <DocumentSigningProvider
@ -116,6 +127,7 @@ export default function EmbedDirectTemplatePage() {
        documentAuthOptions={template.authOptions}
        recipient={recipient}
        user={user}
        isEnterprise={isEnterpriseDocument}
      >
        <DocumentSigningRecipientProvider recipient={recipient}>
          <EmbedDirectTemplateClientPage
--- a/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
+++ b/apps/remix/app/routes/embed+/_v0+/sign.$url.tsx
@ -109,6 +109,8 @@ export async function loader({ params, request }: Route.LoaderArgs) {
        })
      : [];
  const isEnterpriseDocument = Boolean(organisationClaim);
  return superLoaderJson({
    token,
    user,
@ -119,6 +121,7 @@ export async function loader({ params, request }: Route.LoaderArgs) {
    completedFields,
    hidePoweredBy,
    allowEmbedSigningWhitelabel,
    isEnterpriseDocument,
  });
 }
@ -133,6 +136,7 @@ export default function EmbedSignDocumentPage() {
    completedFields,
    hidePoweredBy,
    allowEmbedSigningWhitelabel,
    isEnterpriseDocument,
  } = useSuperLoaderData<typeof loader>();
  return (
@ -148,6 +152,7 @@ export default function EmbedSignDocumentPage() {
        documentAuthOptions={document.authOptions}
        recipient={recipient}
        user={user}
        isEnterprise={isEnterpriseDocument}
      >
        <EmbedSignDocumentClientPage
          token={token}
--- a/apps/remix/app/routes/embed+/v1+/multisign+/_index.tsx
+++ b/apps/remix/app/routes/embed+/v1+/multisign+/_index.tsx
@ -48,6 +48,7 @@ export async function loader({ request }: Route.LoaderArgs) {
      user,
      hidePoweredBy: false,
      allowWhitelabelling: false,
      isEnterprise: false,
    });
  }
@ -55,17 +56,19 @@ export async function loader({ request }: Route.LoaderArgs) {
  const allowWhitelabelling = organisationClaim.flags.embedSigningWhiteLabel;
  const hidePoweredBy = organisationClaim.flags.hidePoweredBy;
  const isEnterprise = Boolean(organisationClaim.flags.cfr21);
  return superLoaderJson({
    envelopes,
    user,
    hidePoweredBy,
    allowWhitelabelling,
    isEnterprise,
  });
 }
 export default function MultisignPage() {
-  const { envelopes, user, hidePoweredBy, allowWhitelabelling } =
+  const { envelopes, user, hidePoweredBy, allowWhitelabelling, isEnterprise } =
    useSuperLoaderData<typeof loader>();
  const revalidator = useRevalidator();
@ -264,6 +267,7 @@ export default function MultisignPage() {
            documentAuthOptions={selectedDocument.authOptions}
            recipient={selectedRecipient}
            user={user}
            isEnterprise={isEnterprise}
          >
            <DocumentSigningRecipientProvider recipient={selectedRecipient} targetSigner={null}>
              <MultiSignDocumentSigningView
--- a/packages/app-tests/e2e/document-flow/settings-step.spec.ts
+++ b/packages/app-tests/e2e/document-flow/settings-step.spec.ts
@ -27,8 +27,8 @@ test('[DOCUMENT_FLOW]: add settings', async ({ page }) => {
  await page.getByRole('option').filter({ hasText: 'Require account' }).click();
  await expect(page.getByTestId('documentAccessSelectValue')).toContainText('Require account');
-  // Action auth should NOT be visible.
+  // Action auth should now be visible for all users
-  await expect(page.getByTestId('documentActionSelectValue')).not.toBeVisible();
+  await expect(page.getByTestId('documentActionSelectValue')).toBeVisible();
  // Save the settings by going to the next step.
--- a/packages/app-tests/e2e/templates-flow/template-settings-step.spec.ts
+++ b/packages/app-tests/e2e/templates-flow/template-settings-step.spec.ts
@ -25,8 +25,8 @@ test('[TEMPLATE_FLOW]: add settings', async ({ page }) => {
  await page.getByRole('option').filter({ hasText: 'Require account' }).click();
  await expect(page.getByTestId('documentAccessSelectValue')).toContainText('Require account');
-  // Action auth should NOT be visible.
+  // Action auth should now be visible for all users
-  await expect(page.getByTestId('documentActionSelectValue')).not.toBeVisible();
+  await expect(page.getByTestId('documentActionSelectValue')).toBeVisible();
  // Save the settings by going to the next step.
  await page.getByRole('button', { name: 'Continue' }).click();
--- a/packages/email/template-components/template-verification-code.tsx
+++ b/packages/email/template-components/template-verification-code.tsx
@ -0,0 +1,43 @@
 import { Trans } from '@lingui/react/macro';
 import { Section, Text } from '../components';
 import { TemplateDocumentImage } from './template-document-image';
 export type TemplateVerificationCodeProps = {
  verificationCode: string;
  assetBaseUrl: string;
 };
 export const TemplateVerificationCode = ({
  verificationCode,
  assetBaseUrl,
 }: TemplateVerificationCodeProps) => {
  return (
    <>
      <TemplateDocumentImage className="mt-6" assetBaseUrl={assetBaseUrl} />
      <Section className="flex-row items-center justify-center">
        <Text className="text-primary mx-auto mb-0 max-w-[80%] text-center text-lg font-semibold">
          <Trans>Your verification code</Trans>
        </Text>
        <Text className="my-1 text-center text-base text-slate-400">
          <Trans>Please use the code below to verify your identity for document signing.</Trans>
        </Text>
        <Text className="my-6 text-center text-3xl font-bold tracking-widest">
          {verificationCode}
        </Text>
        <Text className="my-1 text-center text-sm text-slate-400">
          <Trans>
            If you did not request this code, you can ignore this email. The code will expire after
            10 minutes.
          </Trans>
        </Text>
      </Section>
    </>
  );
 };
 export default TemplateVerificationCode;
--- a/packages/email/templates/verification-code.tsx
+++ b/packages/email/templates/verification-code.tsx
@ -0,0 +1,62 @@
 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
 import { Body, Container, Head, Hr, Html, Img, Preview, Section } from '../components';
 import { useBranding } from '../providers/branding';
 import { TemplateFooter } from '../template-components/template-footer';
 import type { TemplateVerificationCodeProps } from '../template-components/template-verification-code';
 import { TemplateVerificationCode } from '../template-components/template-verification-code';
 export type VerificationCodeTemplateProps = Partial<TemplateVerificationCodeProps>;
 export const VerificationCodeTemplate = ({
  verificationCode = '000000',
  assetBaseUrl = 'http://localhost:3002',
 }: VerificationCodeTemplateProps) => {
  const { _ } = useLingui();
  const branding = useBranding();
  const previewText = msg`Your verification code for document signing`;
  const getAssetUrl = (path: string) => {
    return new URL(path, assetBaseUrl).toString();
  };
  return (
    <Html>
      <Head />
      <Preview>{_(previewText)}</Preview>
      <Body className="mx-auto my-auto font-sans">
        <Section className="bg-white">
          <Container className="mx-auto mb-2 mt-8 max-w-xl rounded-lg border border-solid border-slate-200 p-2 backdrop-blur-sm">
            <Section className="p-2">
              {branding.brandingEnabled && branding.brandingLogo ? (
                <Img src={branding.brandingLogo} alt="Branding Logo" className="mb-4 h-6" />
              ) : (
                <Img
                  src={getAssetUrl('/static/logo.png')}
                  alt="Documenso Logo"
                  className="mb-4 h-6"
                />
              )}
              <TemplateVerificationCode
                verificationCode={verificationCode}
                assetBaseUrl={assetBaseUrl}
              />
            </Section>
          </Container>
          <Hr className="mx-auto mt-12 max-w-xl" />
          <Container className="mx-auto max-w-xl">
            <TemplateFooter isDocument={false} />
          </Container>
        </Section>
      </Body>
    </Html>
  );
 };
 export default VerificationCodeTemplate;
--- a/packages/lib/server-only/2fa/send-email-verification.ts
+++ b/packages/lib/server-only/2fa/send-email-verification.ts
@ -0,0 +1,120 @@
 import { createElement } from 'react';
 import { msg } from '@lingui/core/macro';
 import { randomInt } from 'crypto';
 import { AuthenticationErrorCode } from '@documenso/auth/server/lib/errors/error-codes';
 import { mailer } from '@documenso/email/mailer';
 import { VerificationCodeTemplate } from '@documenso/email/templates/verification-code';
 import { AppError } from '@documenso/lib/errors/app-error';
 import { prisma } from '@documenso/prisma';
 import { getI18nInstance } from '../../client-only/providers/i18n-server';
 import { NEXT_PUBLIC_WEBAPP_URL } from '../../constants/app';
 import { FROM_ADDRESS, FROM_NAME } from '../../constants/email';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
 const ExtendedAuthErrorCode = {
  ...AuthenticationErrorCode,
  InternalError: 'INTERNAL_ERROR',
  VerificationNotFound: 'VERIFICATION_NOT_FOUND',
  VerificationExpired: 'VERIFICATION_EXPIRED',
 };
 const VERIFICATION_CODE_EXPIRY = 10 * 60 * 1000;
 export type SendEmailVerificationOptions = {
  userId: number;
  email: string;
 };
 export const sendEmailVerification = async ({ userId, email }: SendEmailVerificationOptions) => {
  try {
    const verificationCode = randomInt(100000, 1000000).toString();
    const i18n = await getI18nInstance();
    await prisma.userTwoFactorEmailVerification.upsert({
      where: {
        userId,
      },
      create: {
        userId,
        verificationCode,
        expiresAt: new Date(Date.now() + VERIFICATION_CODE_EXPIRY),
      },
      update: {
        verificationCode,
        expiresAt: new Date(Date.now() + VERIFICATION_CODE_EXPIRY),
      },
    });
    const template = createElement(VerificationCodeTemplate, {
      verificationCode,
      assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
    });
    const [html, text] = await Promise.all([
      renderEmailWithI18N(template, { lang: 'en' }),
      renderEmailWithI18N(template, { lang: 'en', plainText: true }),
    ]);
    await mailer.sendMail({
      to: email,
      from: {
        name: FROM_NAME,
        address: FROM_ADDRESS,
      },
      subject: i18n._(msg`Your verification code for document signing`),
      html,
      text,
    });
    return { success: true };
  } catch (error) {
    console.error('Error sending email verification', error);
    throw new AppError(ExtendedAuthErrorCode.InternalError);
  }
 };
 export type VerifyEmailCodeOptions = {
  userId: number;
  code: string;
 };
 export const verifyEmailCode = async ({ userId, code }: VerifyEmailCodeOptions) => {
  try {
    const verification = await prisma.userTwoFactorEmailVerification.findUnique({
      where: {
        userId,
      },
    });
    if (!verification) {
      throw new AppError(ExtendedAuthErrorCode.VerificationNotFound);
    }
    if (verification.expiresAt < new Date()) {
      throw new AppError(ExtendedAuthErrorCode.VerificationExpired);
    }
    if (verification.verificationCode !== code) {
      throw new AppError(AuthenticationErrorCode.InvalidTwoFactorCode);
    }
    await prisma.userTwoFactorEmailVerification.delete({
      where: {
        userId,
      },
    });
    return { success: true };
  } catch (error) {
    console.error('Error verifying email code', error);
    if (error instanceof AppError) {
      throw error;
    }
    throw new AppError(ExtendedAuthErrorCode.InternalError);
  }
 };
--- a/packages/lib/server-only/document/update-document.ts
+++ b/packages/lib/server-only/document/update-document.ts
@ -1,5 +1,4 @@
-import { DocumentVisibility } from '@prisma/client';
+import { DocumentStatus, DocumentVisibility, TeamMemberRole } from '@prisma/client';
 import { DocumentStatus, TeamMemberRole } from '@prisma/client';
 import { isDeepEqual } from 'remeda';
 import { match } from 'ts-pattern';
@ -119,13 +118,6 @@ export const updateDocument = async ({
  const newGlobalActionAuth =
    data?.globalActionAuth === undefined ? documentGlobalActionAuth : data.globalActionAuth;
  // Check if user has permission to set the global action auth.
  if (newGlobalActionAuth.length > 0 && !document.team.organisation.organisationClaim.flags.cfr21) {
    throw new AppError(AppErrorCode.UNAUTHORIZED, {
      message: 'You do not have permission to set the action auth',
    });
  }
  const isTitleSame = data.title === undefined || data.title === document.title;
  const isExternalIdSame = data.externalId === undefined || data.externalId === document.externalId;
  const isGlobalAccessSame =
--- a/packages/lib/server-only/field/sign-field-with-token.ts
+++ b/packages/lib/server-only/field/sign-field-with-token.ts
@ -15,7 +15,7 @@ import { AUTO_SIGNABLE_FIELD_TYPES } from '../../constants/autosign';
 import { DEFAULT_DOCUMENT_DATE_FORMAT } from '../../constants/date-formats';
 import { DEFAULT_DOCUMENT_TIME_ZONE } from '../../constants/time-zones';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
-import type { TRecipientActionAuth } from '../../types/document-auth';
+import type { TRecipientActionAuth, TRecipientActionAuthTypes } from '../../types/document-auth';
 import {
  ZCheckboxFieldMeta,
  ZDropdownFieldMeta,
@ -25,7 +25,9 @@ import {
 } from '../../types/field-meta';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import { extractDocumentAuthMethods } from '../../utils/document-auth';
 import { validateFieldAuth } from '../document/validate-field-auth';
 import { isUserEnterprise } from '../user/is-user-enterprise';
 export type SignFieldWithTokenOptions = {
  token: string;
@ -171,13 +173,25 @@ export const signFieldWithToken = async ({
    }
  }
-  const derivedRecipientActionAuth = await validateFieldAuth({
+  const isEnterprise = userId ? await isUserEnterprise({ userId }) : false;
-    documentAuthOptions: document.authOptions,
+  let requiredAuthType: TRecipientActionAuthTypes | null = null;
-    recipient,
+
-    field,
+  if (isEnterprise) {
-    userId,
+    const authType = await validateFieldAuth({
-    authOptions,
+      documentAuthOptions: document.authOptions,
-  });
+      recipient,
      field,
      userId,
      authOptions,
    });
    requiredAuthType = authType ?? null;
  } else {
    const { derivedRecipientActionAuth } = extractDocumentAuthMethods({
      documentAuth: document.authOptions,
      recipientAuth: recipient.authOptions,
    });
    requiredAuthType = derivedRecipientActionAuth.length > 0 ? derivedRecipientActionAuth[0] : null;
  }
  const documentMeta = await prisma.documentMeta.findFirst({
    where: {
@ -311,9 +325,9 @@ export const signFieldWithToken = async ({
              }),
            )
            .exhaustive(),
-          fieldSecurity: derivedRecipientActionAuth
+          fieldSecurity: requiredAuthType
            ? {
-                type: derivedRecipientActionAuth,
+                type: requiredAuthType,
              }
            : undefined,
        },
--- a/packages/lib/server-only/organisation/get-organisation-claims.ts
+++ b/packages/lib/server-only/organisation/get-organisation-claims.ts
@ -37,3 +37,23 @@ export const getOrganisationClaimByTeamId = async ({ teamId }: { teamId: number
  return organisationClaim;
 };
 export const getOrganisationClaimByUserId = async ({ userId }: { userId: number }) => {
  const organisationClaim = await prisma.organisationClaim.findFirst({
    where: {
      organisation: {
        members: {
          some: {
            userId: userId,
          },
        },
      },
    },
  });
  if (!organisationClaim) {
    throw new AppError(AppErrorCode.NOT_FOUND);
  }
  return organisationClaim;
 };
--- a/packages/lib/server-only/template/update-template.ts
+++ b/packages/lib/server-only/template/update-template.ts
@ -4,8 +4,10 @@ import { prisma } from '@documenso/prisma';
 import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { TDocumentAccessAuthTypes, TDocumentActionAuthTypes } from '../../types/document-auth';
 import { DocumentAuth } from '../../types/document-auth';
 import { createDocumentAuthOptions, extractDocumentAuthMethods } from '../../utils/document-auth';
 import { buildTeamWhereQuery } from '../../utils/teams';
 import { isUserEnterprise } from '../user/is-user-enterprise';
 export type UpdateTemplateOptions = {
  userId: number;
@ -76,10 +78,21 @@ export const updateTemplate = async ({
    data?.globalActionAuth === undefined ? documentGlobalActionAuth : data.globalActionAuth;
  // Check if user has permission to set the global action auth.
-  if (newGlobalActionAuth.length > 0 && !template.team.organisation.organisationClaim.flags.cfr21) {
+  // Only ACCOUNT and PASSKEY require enterprise permissions
-    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+  if (
-      message: 'You do not have permission to set the action auth',
+    newGlobalActionAuth &&
    (newGlobalActionAuth.includes(DocumentAuth.ACCOUNT) ||
      newGlobalActionAuth.includes(DocumentAuth.PASSKEY))
  ) {
    const isDocumentEnterprise = await isUserEnterprise({
      userId,
    });
    if (!isDocumentEnterprise) {
      throw new AppError(AppErrorCode.UNAUTHORIZED, {
        message: 'You do not have permission to set this action auth type',
      });
    }
  }
  const authOptions = createDocumentAuthOptions({
--- a/packages/lib/server-only/user/is-user-enterprise.ts
+++ b/packages/lib/server-only/user/is-user-enterprise.ts
@ -0,0 +1,14 @@
 import { getOrganisationClaimByUserId } from '../organisation/get-organisation-claims';
 /**
 * Check if a user has enterprise features enabled (cfr21 flag).
 */
 export const isUserEnterprise = async ({ userId }: { userId: number }): Promise<boolean> => {
  try {
    const organisationClaim = await getOrganisationClaimByUserId({ userId });
    return Boolean(organisationClaim.flags.cfr21);
  } catch {
    // If we can't find the organisation claim, assume non-enterprise
    return false;
  }
 };
--- a/packages/lib/types/document-auth.ts
+++ b/packages/lib/types/document-auth.ts
@ -82,6 +82,16 @@ export const ZDocumentActionAuthTypesSchema = z
    'The type of authentication required for the recipient to sign the document. This field is restricted to Enterprise plan users only.',
  );
 /**
 * The non-enterprise document action auth methods.
 *
 * Only includes options available to non-enterprise users.
 */
 export const ZNonEnterpriseDocumentActionAuthTypesSchema = z.enum([
  DocumentAuth.TWO_FACTOR_AUTH,
  DocumentAuth.EXPLICIT_NONE,
 ]);
 /**
 * The recipient access auth methods.
 *
@ -118,6 +128,7 @@ export const ZRecipientActionAuthTypesSchema = z
 export const DocumentAccessAuth = ZDocumentAccessAuthTypesSchema.Enum;
 export const DocumentActionAuth = ZDocumentActionAuthTypesSchema.Enum;
 export const NonEnterpriseDocumentActionAuth = ZNonEnterpriseDocumentActionAuthTypesSchema.Enum;
 export const RecipientAccessAuth = ZRecipientAccessAuthTypesSchema.Enum;
 export const RecipientActionAuth = ZRecipientActionAuthTypesSchema.Enum;
@ -201,6 +212,9 @@ export type TDocumentAccessAuth = z.infer<typeof ZDocumentAccessAuthSchema>;
 export type TDocumentAccessAuthTypes = z.infer<typeof ZDocumentAccessAuthTypesSchema>;
 export type TDocumentActionAuth = z.infer<typeof ZDocumentActionAuthSchema>;
 export type TDocumentActionAuthTypes = z.infer<typeof ZDocumentActionAuthTypesSchema>;
 export type TNonEnterpriseDocumentActionAuthTypes = z.infer<
  typeof ZNonEnterpriseDocumentActionAuthTypesSchema
 >;
 export type TRecipientAccessAuth = z.infer<typeof ZRecipientAccessAuthSchema>;
 export type TRecipientAccessAuthTypes = z.infer<typeof ZRecipientAccessAuthTypesSchema>;
 export type TRecipientActionAuth = z.infer<typeof ZRecipientActionAuthSchema>;
--- a/packages/prisma/migrations/20250722134012_add_email_migration/migration.sql
+++ b/packages/prisma/migrations/20250722134012_add_email_migration/migration.sql
@ -0,0 +1,12 @@
 -- CreateTable
 CREATE TABLE "UserTwoFactorEmailVerification" (
    "userId" INTEGER NOT NULL,
    "verificationCode" TEXT NOT NULL,
    "expiresAt" TIMESTAMP(3) NOT NULL,
    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
    CONSTRAINT "UserTwoFactorEmailVerification_pkey" PRIMARY KEY ("userId")
 );
 -- AddForeignKey
 ALTER TABLE "UserTwoFactorEmailVerification" ADD CONSTRAINT "UserTwoFactorEmailVerification_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@ -59,9 +59,10 @@ model User {
  ownedOrganisations Organisation[]
  organisationMember OrganisationMember[]
-  twoFactorSecret      String?
+  twoFactorSecret            String?
-  twoFactorEnabled     Boolean @default(false)
+  twoFactorEnabled           Boolean                         @default(false)
-  twoFactorBackupCodes String?
+  twoFactorBackupCodes       String?
  twoFactorEmailVerification UserTwoFactorEmailVerification?
  folders   Folder[]
  documents Document[]
@ -985,6 +986,15 @@ model AvatarImage {
  organisation Organisation[]
 }
 model UserTwoFactorEmailVerification {
  userId           Int      @id
  verificationCode String
  expiresAt        DateTime
  createdAt        DateTime @default(now())
  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
 }
 enum EmailDomainStatus {
  PENDING
  ACTIVE
--- a/packages/trpc/server/auth-router/router.ts
+++ b/packages/trpc/server/auth-router/router.ts
@ -1,5 +1,10 @@
 import type { RegistrationResponseJSON } from '@simplewebauthn/types';
 import { AppError } from '@documenso/lib/errors/app-error';
 import {
  sendEmailVerification,
  verifyEmailCode,
 } from '@documenso/lib/server-only/2fa/send-email-verification';
 import { createPasskey } from '@documenso/lib/server-only/auth/create-passkey';
 import { createPasskeyAuthenticationOptions } from '@documenso/lib/server-only/auth/create-passkey-authentication-options';
 import { createPasskeyRegistrationOptions } from '@documenso/lib/server-only/auth/create-passkey-registration-options';
@ -8,6 +13,7 @@ import { deletePasskey } from '@documenso/lib/server-only/auth/delete-passkey';
 import { findPasskeys } from '@documenso/lib/server-only/auth/find-passkeys';
 import { updatePasskey } from '@documenso/lib/server-only/auth/update-passkey';
 import { nanoid } from '@documenso/lib/universal/id';
 import { prisma } from '@documenso/prisma';
 import { authenticatedProcedure, procedure, router } from '../trpc';
 import {
@ -15,7 +21,9 @@ import {
  ZCreatePasskeyMutationSchema,
  ZDeletePasskeyMutationSchema,
  ZFindPasskeysQuerySchema,
  ZSendEmailVerificationMutationSchema,
  ZUpdatePasskeyMutationSchema,
  ZVerifyEmailCodeMutationSchema,
 } from './schema';
 export const authRouter = router({
@ -110,4 +118,68 @@ export const authRouter = router({
        requestMetadata: ctx.metadata.requestMetadata,
      });
    }),
  // Email verification for document signing
  sendEmailVerification: authenticatedProcedure
    .input(ZSendEmailVerificationMutationSchema)
    .mutation(async ({ ctx, input }) => {
      const { recipientId } = input;
      const userId = ctx.user.id;
      let email = ctx.user.email;
      // If recipientId is provided, fetch that recipient's details
      if (recipientId) {
        const recipient = await prisma.recipient.findUnique({
          where: {
            id: recipientId,
          },
          select: {
            email: true,
          },
        });
        if (!recipient) {
          throw new AppError('NOT_FOUND', {
            message: 'Recipient not found',
          });
        }
        email = recipient.email;
      }
      return sendEmailVerification({
        userId,
        email,
      });
    }),
  verifyEmailCode: authenticatedProcedure
    .input(ZVerifyEmailCodeMutationSchema)
    .mutation(async ({ ctx, input }) => {
      const { code, recipientId } = input;
      const userId = ctx.user.id;
      // If recipientId is provided, check that the user has access to it
      if (recipientId) {
        const recipient = await prisma.recipient.findUnique({
          where: {
            id: recipientId,
          },
          select: {
            email: true,
          },
        });
        if (!recipient) {
          throw new AppError('NOT_FOUND', {
            message: 'Recipient not found',
          });
        }
      }
      return verifyEmailCode({
        userId,
        code,
      });
    }),
 });
--- a/packages/trpc/server/auth-router/schema.ts
+++ b/packages/trpc/server/auth-router/schema.ts
@ -71,3 +71,18 @@ export const ZFindPasskeysQuerySchema = ZFindSearchParamsSchema.extend({
 });
 export type TSignUpMutationSchema = z.infer<typeof ZSignUpMutationSchema>;
 export const ZSendEmailVerificationMutationSchema = z.object({
  recipientId: z.number().optional(),
 });
 export type TSendEmailVerificationMutationSchema = z.infer<
  typeof ZSendEmailVerificationMutationSchema
 >;
 export const ZVerifyEmailCodeMutationSchema = z.object({
  code: z.string().min(6).max(6),
  recipientId: z.number().optional(),
 });
 export type TVerifyEmailCodeMutationSchema = z.infer<typeof ZVerifyEmailCodeMutationSchema>;
--- a/packages/ui/components/document/document-global-auth-action-select.tsx
+++ b/packages/ui/components/document/document-global-auth-action-select.tsx
@ -4,70 +4,70 @@ import { Trans } from '@lingui/react/macro';
 import { InfoIcon } from 'lucide-react';
 import { DOCUMENT_AUTH_TYPES } from '@documenso/lib/constants/document-auth';
-import { DocumentActionAuth, DocumentAuth } from '@documenso/lib/types/document-auth';
+import {
-import { MultiSelect, type Option } from '@documenso/ui/primitives/multiselect';
+  DocumentActionAuth,
  DocumentAuth,
  NonEnterpriseDocumentActionAuth,
 } from '@documenso/lib/types/document-auth';
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from '@documenso/ui/primitives/select';
 import { Tooltip, TooltipContent, TooltipTrigger } from '@documenso/ui/primitives/tooltip';
 export interface DocumentGlobalAuthActionSelectProps {
  value?: string[];
  defaultValue?: string[];
  onValueChange?: (value: string[]) => void;
  disabled?: boolean;
  placeholder?: string;
  isDocumentEnterprise?: boolean;
 }
 export const DocumentGlobalAuthActionSelect = ({
  value,
  defaultValue,
  onValueChange,
  disabled,
  placeholder,
  isDocumentEnterprise,
 }: DocumentGlobalAuthActionSelectProps) => {
  const { _ } = useLingui();
-  // Convert auth types to MultiSelect options
+  const authTypes = isDocumentEnterprise
-  const authOptions: Option[] = [
+    ? Object.values(DocumentActionAuth).filter((auth) => auth !== DocumentAuth.ACCOUNT)
-    {
+    : Object.values(NonEnterpriseDocumentActionAuth).filter(
-      value: '-1',
+        (auth) => auth !== DocumentAuth.EXPLICIT_NONE,
-      label: _(msg`No restrictions`),
+      );
    },
    ...Object.values(DocumentActionAuth)
      .filter((auth) => auth !== DocumentAuth.ACCOUNT)
      .map((authType) => ({
        value: authType,
        label: DOCUMENT_AUTH_TYPES[authType].value,
      })),
  ];
-  // Convert string array to Option array for MultiSelect
+  const selectedValue = value?.[0] || '';
  const selectedOptions =
    (value
      ?.map((val) => authOptions.find((option) => option.value === val))
      .filter(Boolean) as Option[]) || [];
-  // Convert default value to Option array
+  const handleChange = (newValue: string) => {
-  const defaultOptions =
+    if (newValue === '-1') {
-    (defaultValue
+      onValueChange?.([]);
-      ?.map((val) => authOptions.find((option) => option.value === val))
+    } else {
-      .filter(Boolean) as Option[]) || [];
+      onValueChange?.([newValue]);
-
+    }
  const handleChange = (options: Option[]) => {
    const values = options.map((option) => option.value);
    onValueChange?.(values);
  };
  return (
-    <MultiSelect
+    <Select value={selectedValue || '-1'} onValueChange={handleChange} disabled={disabled}>
-      value={selectedOptions}
+      <SelectTrigger
-      defaultOptions={defaultOptions}
+        className="bg-background text-muted-foreground"
-      options={authOptions}
+        data-testid="documentActionSelectValue"
-      onChange={handleChange}
+      >
-      disabled={disabled}
+        <SelectValue placeholder={placeholder || _(msg`Select authentication method`)} />
-      placeholder={placeholder || _(msg`Select authentication methods`)}
+      </SelectTrigger>
-      className="bg-background text-muted-foreground"
+      <SelectContent>
-      hideClearAllButton={false}
+        <SelectItem value="-1">{_(msg`No restrictions`)}</SelectItem>
-      data-testid="documentActionSelectValue"
+        {authTypes.map((authType) => (
-    />
+          <SelectItem key={authType} value={authType}>
            {DOCUMENT_AUTH_TYPES[authType].value}
          </SelectItem>
        ))}
      </SelectContent>
    </Select>
  );
 };
@ -86,14 +86,14 @@ export const DocumentGlobalAuthActionTooltip = () => (
      <p>
        <Trans>
-          The authentication methods required for recipients to sign the signature field.
+          The authentication method required for recipients to sign the signature field.
        </Trans>
      </p>
      <p>
        <Trans>
-          These can be overriden by setting the authentication requirements directly on each
+          This can be overridden by setting the authentication requirements directly on each
-          recipient in the next step. Multiple methods can be selected.
+          recipient in the next step.
        </Trans>
      </p>
--- a/packages/ui/primitives/document-flow/add-settings.tsx
+++ b/packages/ui/primitives/document-flow/add-settings.tsx
@ -294,28 +294,27 @@ export const AddSettingsFormPartial = ({
              />
            )}
-            {organisation.organisationClaim.flags.cfr21 && (
+            <FormField
-              <FormField
+              control={form.control}
-                control={form.control}
+              name="globalActionAuth"
-                name="globalActionAuth"
+              render={({ field }) => (
-                render={({ field }) => (
+                <FormItem>
-                  <FormItem>
+                  <FormLabel className="flex flex-row items-center">
-                    <FormLabel className="flex flex-row items-center">
+                    <Trans>Recipient action authentication</Trans>
-                      <Trans>Recipient action authentication</Trans>
+                    <DocumentGlobalAuthActionTooltip />
-                      <DocumentGlobalAuthActionTooltip />
+                  </FormLabel>
                    </FormLabel>
-                    <FormControl>
+                  <FormControl>
-                      <DocumentGlobalAuthActionSelect
+                    <DocumentGlobalAuthActionSelect
-                        value={field.value}
+                      value={field.value}
-                        disabled={field.disabled}
+                      disabled={field.disabled}
-                        onValueChange={field.onChange}
+                      onValueChange={field.onChange}
-                      />
+                      isDocumentEnterprise={organisation?.organisationClaim?.flags?.cfr21 || false}
-                    </FormControl>
+                    />
-                  </FormItem>
+                  </FormControl>
-                )}
+                </FormItem>
-              />
+              )}
-            )}
+            />
            <Accordion type="multiple" className="mt-6">
              <AccordionItem value="advanced-options" className="border-none">
--- a/packages/ui/primitives/template-flow/add-template-settings.tsx
+++ b/packages/ui/primitives/template-flow/add-template-settings.tsx
@ -382,28 +382,27 @@ export const AddTemplateSettingsFormPartial = ({
              )}
            />
-            {organisation.organisationClaim.flags.cfr21 && (
+            <FormField
-              <FormField
+              control={form.control}
-                control={form.control}
+              name="globalActionAuth"
-                name="globalActionAuth"
+              render={({ field }) => (
-                render={({ field }) => (
+                <FormItem>
-                  <FormItem>
+                  <FormLabel className="flex flex-row items-center">
-                    <FormLabel className="flex flex-row items-center">
+                    <Trans>Recipient action authentication</Trans>
-                      <Trans>Recipient action authentication</Trans>
+                    <DocumentGlobalAuthActionTooltip />
-                      <DocumentGlobalAuthActionTooltip />
+                  </FormLabel>
                    </FormLabel>
-                    <FormControl>
+                  <FormControl>
-                      <DocumentGlobalAuthActionSelect
+                    <DocumentGlobalAuthActionSelect
-                        value={field.value}
+                      value={field.value}
-                        disabled={field.disabled}
+                      disabled={field.disabled}
-                        onValueChange={field.onChange}
+                      onValueChange={field.onChange}
-                      />
+                      isDocumentEnterprise={organisation.organisationClaim.flags.cfr21}
-                    </FormControl>
+                    />
-                  </FormItem>
+                  </FormControl>
-                )}
+                </FormItem>
-              />
+              )}
-            )}
+            />
            {distributionMethod === DocumentDistributionMethod.EMAIL && (
              <Accordion type="multiple">
Author	SHA1	Message	Date
Ephraim Atta-Duncan	35410e100e	fix: merge conflicts	2025-08-14 22:13:19 +00:00
Ephraim Atta-Duncan	e52af336b4	Merge branch 'main' into feat/document-2fa-redo	2025-08-01 09:00:30 +00:00
Ephraim Atta-Duncan	04e3e1eeb9	fix: remove multiselect for auth select	2025-07-22 15:18:40 +00:00
Ephraim Atta-Duncan	43810c4357	feat: document 2fa	2025-07-22 14:08:03 +00:00