recovery_codes.rb in rodauth-2.7.0

- old
+ new

@@ -32,10 +32,11 @@
     view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
 
     auth_value_method :add_recovery_codes_param, 'add'
     translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :auto_add_recovery_codes?, false
+    auth_value_method :auto_remove_recovery_codes?, false
     translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
     auth_value_method :recovery_codes_id_column, :id
     translatable_method :recovery_codes_label, 'Recovery Code'
@@ -54,11 +55,10 @@
     auth_methods(
       :add_recovery_code,
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
-      :recovery_codes
     )
 
     route(:recovery_auth) do |r|
       require_login
       require_account_session
@@ -211,10 +211,25 @@
     def _two_factor_remove_all_from_session
       two_factor_remove_session('recovery_code')
       super
     end
 
+    def after_otp_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_sms_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_webauthn_remove
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
     def new_recovery_code
       random_key
     end
     
     def recovery_codes_primary?
@@ -222,9 +237,15 @@
     end
 
     def auto_add_missing_recovery_codes
       if auto_add_recovery_codes?
         add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+      end
+    end
+
+    def auto_remove_recovery_codes
+      if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
+        recovery_codes_remove
       end
     end
 
     def _recovery_codes
       recovery_codes_ds.select_map(recovery_codes_column)