⚙️Auth & SecurityComing Soon
Account Security Settings
The settings UI for managing passwords, email, and MFA preferences.
Video coming soon
Add a YouTube video ID to the topics config
Documentation
Overview
The Account Security section in Profile Settings provides a unified interface for managing all security-related account features.
Sections
Change / Set Password
- Detects whether the user has an existing password or is an OAuth-only account
- Adapts the form accordingly — "Change Password" (3 fields) vs "Set Password" (2 fields)
Update Email
- Requires password confirmation before initiating an email change
- Sends a confirmation link to the new email address via Resend
- The email is only updated in the database after the user clicks the confirmation link
- Confirmation tokens are stored on the User model and validated via a dedicated API route
Multi-Factor Authentication
- Collapsible cards for each MFA method (TOTP, Email, Passkey)
- TOTP shows a QR code wizard for setup with a verification step before enabling
- Email MFA is a simple toggle
- Passkey section shows registered passkeys with names and dates, plus a registration form
- "Disable All MFA" button with confirmation for quick teardown
Data Flow
All settings mutations go through the account tRPC router. The getMfaStatus query provides the current state of all security features in a single call, minimizing round trips.
Content coming soon — add your video and detailed writeup here.