00:00 sometimes your users want to do destructive operations that kind of require an extra sense of like, hey, let's make sure that you're like totally positive that you wanna do this. And so we're going to, and also not only that you want to do this, but that you are who you say you are, that like the user didn't just get up and walk away, right?

00:19 So that when they have two-factor authentication enabled, they probably are security minded and probably would appreciate us double checking when we wanna do a destructive operation like changing the email address or disabling two-factor authentication. And that's the case here. So when I click on disable two-factor authentication,

00:38 we want to re-verify our account before we proceed. And then if once we do that with our one-factor authentication code or two-factor authentication code, then I can actually disable two-factor auth. And so this flow is an important thing to consider.

00:56 And so here, if you recall, we've got our user and server through the enable flow and then login flow. And now right here, the user says, hey, actually I wanna disable two-factor auth or maybe they want to change their email or maybe they want to do any number of other destructive operations.

01:12 And so if it's been a while since they re-verified or since they entered their two-factor auth code, then we want to re-verify. So we don't wanna just say, oh, we'll always just have them give us their two-factor auth code when they're doing this destructive operation. No, we really, that would be super annoying. I just barely logged in.

01:30 I just barely gave you this two-factor auth code. Like, why are you asking me again? So we need to keep track of when was the last time they gave us that two-factor auth code. And if it has been long enough since they did that, then we want to re-verify and send them through that re-verification flow. They submit the code, we verify that it's correct.

01:48 And then they can now actually disable the two-factor auth. And then we can delete the two-factor authentication and send them back to a successful message. So in this exercise, you're first going to just let them delete it, but then we're going to add the capability

02:07 of keeping track of when the last time was that they verified their account or verified their session. And then, which is gonna be a little bit more tricky than you might think. And then we're going to make sure that they have recently re-verified their account

02:24 or their session before we let them perform the operation. And then we'll let them perform the operation. Unfortunately, this re-verification process is gonna have an interesting implication on the expiration of our cookie. So we're gonna have to deal with that too. So there's a lot to this one. I think it's gonna be a lot of fun for you. And when you're done,

02:44 you're really gonna understand this stuff. So have at it and have a good time doing it.