Description
Due to an oversight, it's currently only possible to use recovery codes / account reset links to regain access to the account, but it not to reset your credentials once authenticated (as changing your password at that point requires your current password to be provided)
To solve this, I'll change the way account recovery works. Instead of directly authenticating the user and sending them to the account settings page, I will make it so that the user enters a "confirmed recovery state" (similar to the 2FA challenges) where the user can then (depending on the account type) either register a new passkey, or choose a new password.
Once a new credential has been registered and the recovery mode cleared, the user will be returned to the login page.
Metadata
Metadata
Assignees
Projects
Status