feat(2fa): Added a resend code link to sms 2fa page

[lauryndbrown]

Add a link to the sms two-factor authentication page to resend code for the case the user does not have their phone immediately handy before the time limit is up.

[lauryndbrown]

[benvinegar]

Is there a way to do this without inline JavaScript? Like, could we just link to href="" (I can't remember if that works or not) or even do a <form> post?

Reason I ask is that, for security reasons (see: CSP), we may come back and eliminate all inline JavaScript code.

[mattrobenolt]

Oh. Derp. Not sure why I didn’t think of that. Yeah, we can just use a link to “” should be fine to trigger a refresh.

[lauryndbrown]

@mattrobenolt and @benvinegar so my concern with href="" is that it will resort to cached information from the browser and not generate a new code. Is there a way to do that without letting it used saved data?

Looks like it does grab a new code after the last expires. So if you click the link too quickly it will give the same code. But at least on my browser it seems to be ok. Do there happen to be any docs on href="" behavior?

[mattrobenolt]

I don’t think our cache-control headers would allow that to actually happen. If we think this might actually happen for some reason, we could easily just use a cache busting token. Like, append a random querystring value.

[lauryndbrown]

Ah! Ok. Gotcha. Sounds like this will work just fine then.

[benvinegar]

Aside: just GET-ing a page triggers an SMS? Shouldn't that be a POST or PUT or something else.

[mattrobenolt]

Yeah, when this page is loaded, we send the SMS. This is current behavior, but we can address changing it somehow later if we want.

[benvinegar]

Let's address afterwards. I'd expect a <form> POST to trigger the SMS followed by a redirect to this view (so people can't accidentally refresh). Clicking "resend" should initiate the POST/redirect flow again.

[lauryndbrown]

@mattrobenolt is this ok to merge or are there more changes needed?

[mattrobenolt]

🎉