Add user enrollment restriction logic for Email-based OTP
What does this MR do and why?
Add user enrollment restriction logic for Email-based OTP
Introduces the Authn::EmailOtpEnrollment concern to determine whether users can modify their Email-based OTP enrollment and what restrictions apply.
It also introduces a new instance setting, require_minimum_email_based_otp_for_users_with_passwords, to the sign_in_restrictions jsonb column, allowing administrators to mandate Email-based OTP as a minimum requirement for users who authenticate with passwords.
The concern then provides four key methods:
- can_modify_email_otp_enrollment?: Returns whether the user can change their Email-based OTP setting
- email_otp_enrollment_restriction: Returns the reason (if any) why Email-based OTP cannot be modified
- has_mandatory_two_factor_policy?: Checks if instance or group enforces 2FA
- must_require_email_otp?: Determines if Email-based OTP is mandatory based on instance settings
Part of issue: https://gitlab.com/gitlab-org/gitlab/-/issues/570173
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.