* 🧯 fix: Remove revoked agents from user favorites
When agent access is revoked, the agent remained in the user's favorites
causing repeated 403 errors on page load. Backend now cleans up favorites
on permission revocation; frontend treats 403 like 404 and auto-removes
stale agent references.
* 🧪 fix: Address review findings for stale agent favorites cleanup
- Guard cleanup effect with ref to prevent infinite loop on mutation
failure (Finding 1)
- Use validated results.revoked instead of raw request payload for
revokedUserIds (Finding 3)
- Stabilize staleAgentIds memo with string key to avoid spurious
re-evaluation during drag-drop (Finding 5)
- Add JSDoc with param types to removeRevokedAgentFromFavorites
(Finding 7)
- Return promise from removeRevokedAgentFromFavorites for testability
- Add 7 backend tests covering revocation cleanup paths
- Add 3 frontend tests for 403 handling and stale cleanup persistence
* fix: require OTP verification for 2FA re-enrollment and backup code regeneration
* fix: require OTP verification for account deletion when 2FA is enabled
* refactor: Improve code formatting and readability in TwoFactorController and UserController
- Reformatted code in TwoFactorController and UserController for better readability by aligning parameters and breaking long lines.
- Updated test cases in deleteUser.spec.js and TwoFactorController.spec.js to enhance clarity by formatting object parameters consistently.
* refactor: Consolidate OTP and backup code verification logic in TwoFactorController and UserController
- Introduced a new `verifyOTPOrBackupCode` function to streamline the verification process for TOTP tokens and backup codes across multiple controllers.
- Updated the `enable2FA`, `disable2FA`, and `deleteUserController` methods to utilize the new verification function, enhancing code reusability and readability.
- Adjusted related tests to reflect the changes in verification logic, ensuring consistent behavior across different scenarios.
- Improved error handling and response messages for verification failures, providing clearer feedback to users.
* chore: linting
* refactor: Update BackupCodesItem component to enhance OTP verification logic
- Consolidated OTP input handling by moving the 2FA verification UI logic to a more consistent location within the component.
- Improved the state management for OTP readiness, ensuring the regenerate button is only enabled when the OTP is ready.
- Cleaned up imports by removing redundant type imports, enhancing code clarity and maintainability.
* chore: lint
* fix: stage 2FA re-enrollment in pending fields to prevent disarmament window
enable2FA now writes to pendingTotpSecret/pendingBackupCodes instead of
overwriting the live fields. confirm2FA performs the atomic swap only after
the new TOTP code is verified. If the user abandons mid-flow, their
existing 2FA remains active and intact.
