npm - strapi-identity - Versions diffs - 0.1.2 → 0.3.0 - Mend

strapi-identity 0.1.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/README.md +2 -1
package/dist/admin/{AdminReset-H453s-DE.mjs → AdminReset-CCGgw-0k.mjs} +2 -2
package/dist/admin/{AdminReset-C0QibZXW.js → AdminReset-QClQP2Il.js} +2 -2
package/dist/admin/{ProfileToggle-BFmIWCrN.js → ProfileToggle-H31GHNDA.js} +299 -39
package/dist/admin/{ProfileToggle-DQeXCx34.mjs → ProfileToggle-gPuH6dGP.mjs} +299 -39
package/dist/admin/{SettingsPage-OwMik_IK.mjs → SettingsPage-DgPikS3m.mjs} +344 -102
package/dist/admin/{SettingsPage-DyF7YbsX.js → SettingsPage-DulEjadb.js} +343 -101
package/dist/admin/{ar-i2eiMZkz.js → ar-BYnI7Tsa.js} +36 -23
package/dist/admin/{ar-BXaam37U.mjs → ar-DwZqj0qM.mjs} +36 -23
package/dist/admin/{ca-DZ9DbEcQ.mjs → ca-aKVVc8iQ.mjs} +36 -23
package/dist/admin/{ca-BVpGzY8r.js → ca-sBRHuaFU.js} +36 -23
package/dist/admin/{cs-Gok16KLy.mjs → cs--prflMHS.mjs} +36 -23
package/dist/admin/{cs-_PZVkwt0.js → cs-gU7KP3Lx.js} +36 -23
package/dist/admin/de-BT25lv_6.mjs +49 -0
package/dist/admin/de-CrlCAUuf.js +49 -0
package/dist/admin/{dk-B7EOsAdU.js → dk-BNC3WUzY.js} +36 -23
package/dist/admin/{dk-CI64Xmli.mjs → dk-Ck3AQYU7.mjs} +36 -23
package/dist/admin/{en-B_vJwdfS.mjs → en-9qzlpde0.mjs} +36 -23
package/dist/admin/{en-D4KP9t1Y.js → en-DBj0AD5g.js} +36 -23
package/dist/admin/{es-CHwF7YK-.js → es-D5Sn41_H.js} +36 -23
package/dist/admin/{es-CqJcXo4j.mjs → es-lh6XoPb7.mjs} +36 -23
package/dist/admin/{eu-D-snytN8.mjs → eu-Cuz6ijBX.mjs} +36 -23
package/dist/admin/{eu-DvdbwE5E.js → eu-Qr3RvDPW.js} +36 -23
package/dist/admin/fr-C4pmkPYn.js +49 -0
package/dist/admin/fr-ChlDcZsG.mjs +49 -0
package/dist/admin/{gu-3wJbbAmw.mjs → gu-B6zyD1bW.mjs} +36 -23
package/dist/admin/{gu-D2LgVfMp.js → gu-BMZL76zM.js} +36 -23
package/dist/admin/{he-Bjv7eygt.mjs → he-C5V-qZCX.mjs} +36 -23
package/dist/admin/{he-DnhYpbvN.js → he-H6iBa45A.js} +36 -23
package/dist/admin/{hi-DDD2E3A3.js → hi-Be8rPk7I.js} +36 -23
package/dist/admin/{hi-CNiDezU7.mjs → hi-czhOWo6-.mjs} +36 -23
package/dist/admin/{hu-C1_YkZHU.js → hu-DKp6kOmc.js} +36 -23
package/dist/admin/{hu-aLaIWmGw.mjs → hu-NbZ3aiYV.mjs} +36 -23
package/dist/admin/{id-u3wVE6Rv.js → id-DO0bwFgY.js} +36 -23
package/dist/admin/{id-C8WRgGm1.mjs → id-NH9PvcR5.mjs} +36 -23
package/dist/admin/{index-BXZI8nMZ.js → index-C9K2h5UC.js} +65 -12
package/dist/admin/{index-D45I6rWF.mjs → index-C_4USMnn.mjs} +65 -12
package/dist/admin/index.js +1 -1
package/dist/admin/index.mjs +1 -1
package/dist/admin/{it-CjoRoJj1.mjs → it-Cmrey6tg.mjs} +36 -23
package/dist/admin/{it-CDw6dG9Z.js → it-Df6-7-M7.js} +36 -23
package/dist/admin/{ja-CewucIUY.mjs → ja-DH3KMqOL.mjs} +36 -23
package/dist/admin/{ja-CbMXy2ym.js → ja-HuAq9ZwT.js} +36 -23
package/dist/admin/{ko-D-kAxDtd.mjs → ko-DPN28RE8.mjs} +36 -23
package/dist/admin/{ko-BEtJPpfJ.js → ko-S9k8KA8K.js} +36 -23
package/dist/admin/{ml-0fR2_MmA.js → ml-Bh9GGqcW.js} +36 -23
package/dist/admin/{ml-DR3AaofF.mjs → ml-MsHNacm6.mjs} +36 -23
package/dist/admin/{ms-COHLS5e5.mjs → ms-TjHAaxTd.mjs} +36 -23
package/dist/admin/{ms-DLvuGSlk.js → ms-hO5YeEg4.js} +36 -23
package/dist/admin/{nl-wj6kn642.js → nl-BF98NBwL.js} +36 -23
package/dist/admin/{nl-DVtHsM2H.mjs → nl-BLILZU8-.mjs} +36 -23
package/dist/admin/{no-D_0yjyCy.mjs → no-BtVZ-siy.mjs} +36 -23
package/dist/admin/{no-DVBgWt8q.js → no-bl1OXlfa.js} +36 -23
package/dist/admin/{pl-C3GNxjVX.mjs → pl-DCSB6LwZ.mjs} +36 -23
package/dist/admin/{pl-B2ghisbC.js → pl-DCnOWIDw.js} +36 -23
package/dist/admin/{pt-BR-BbKV8YoX.mjs → pt-BR-CeLqmj88.mjs} +36 -23
package/dist/admin/{pt-BR-CfgNaB1-.js → pt-BR-D2_UrxTp.js} +36 -23
package/dist/admin/{pt-DKe8rRWa.js → pt-DIu8RT_X.js} +36 -23
package/dist/admin/{pt-z4K3cCjf.mjs → pt-fgjdOyW5.mjs} +36 -23
package/dist/admin/{ru-C85izLFa.mjs → ru-B_hlpAyP.mjs} +36 -23
package/dist/admin/{ru-BFSm68HC.js → ru-BccMCf0l.js} +36 -23
package/dist/admin/{sa-B1XoTTrE.mjs → sa-BtuJ_I1t.mjs} +36 -23
package/dist/admin/{sa-BOPaqylt.js → sa-D3A-fo85.js} +36 -23
package/dist/admin/{sk-C48lUPuC.mjs → sk-mmuTFlCK.mjs} +36 -23
package/dist/admin/{sk-Dd-S1612.js → sk-uSLC6KhO.js} +36 -23
package/dist/admin/{sv-BLma_kJl.mjs → sv-BlaHc5ax.mjs} +36 -23
package/dist/admin/{sv-lg64Cw78.js → sv-CuKk5tE-.js} +36 -23
package/dist/admin/{th-DPbm5NrX.js → th-Bv3NKkYO.js} +36 -23
package/dist/admin/{th-BJEu5n7q.mjs → th-BwyhFaeE.mjs} +36 -23
package/dist/admin/{tokenHelpers-jtoRu0q5.js → tokenHelpers-B54WRTn1.js} +4 -10
package/dist/admin/{tokenHelpers-DagDzpso.mjs → tokenHelpers-CKVyT1sz.mjs} +4 -10
package/dist/admin/{tr-DkIUODKq.mjs → tr-BLocNlbZ.mjs} +36 -23
package/dist/admin/{tr-Bm1QZr4v.js → tr-Bmvs-Hx-.js} +36 -23
package/dist/admin/{uk-FARzIGx4.js → uk-BDxn-EZU.js} +36 -23
package/dist/admin/{uk-D7ArtSe3.mjs → uk-CyZ10xtq.mjs} +36 -23
package/dist/admin/{vi-DS0yslPP.mjs → vi-Bx_UJ8up.mjs} +36 -23
package/dist/admin/{vi-Bi9B6eTY.js → vi-F_mqQCme.js} +36 -23
package/dist/admin/{zh-DkEx28ZA.js → zh-CFZJPG5N.js} +36 -23
package/dist/admin/{zh-DwCvIPSz.mjs → zh-CjJdRa3l.mjs} +36 -23
package/dist/admin/{zh-Hans-BwwKCR6_.js → zh-Hans-4BhSwSQw.js} +36 -23
package/dist/admin/{zh-Hans-DP2xZyda.mjs → zh-Hans-s7G2GUHU.mjs} +36 -23
package/dist/server/index.js +487 -50
package/dist/server/index.mjs +487 -50
package/package.json +5 -4
package/dist/admin/de-BuYn1AYX.mjs +0 -26
package/dist/admin/de-GItli7en.js +0 -26
package/dist/admin/fr-Bt6sS5GX.mjs +0 -26
package/dist/admin/fr-CbCW6hVD.js +0 -26

package/README.md CHANGED Viewed

@@ -7,6 +7,7 @@ Detailed Multi-Factor Authentication (MFA) plugin for Strapi v5+. Secure your St
 - **MFA Login Interception**: Seamlessly integrates with the default Strapi login flow.
 - **TOTP Compatibility**: Works with all major authenticator apps (Google Authenticator, Authy, 1Password, etc.).
 - **Recovery Codes**: Generates secure recovery codes for emergency access.
+- **Email Passcode**: Option to receive a one-time passcode via email as an alternative MFA method.
 - **Native UI Integration**:
   - Matches Strapi's design system.
   - Profile integration for easy setup.
@@ -114,5 +115,5 @@ Below is the implementation status of planned features.
 - [x] **Custom Issuer**: Configurable app label.
 - [x] **Multi-language Support**: i18n ready.
 - [x] **Admin Reset**: Allow super-admins to reset MFA for other users who lost access.
-- [ ] **Email Passcode**: Alternative MFA method via Email.
+- [x] **Email Passcode**: Alternative MFA method via Email.
 - [ ] **Enforced Mode**: Mandatory MFA for specific roles or all users.

package/dist/admin/{AdminReset-H453s-DE.mjs → AdminReset-CCGgw-0k.mjs} RENAMED Viewed

@@ -2,8 +2,8 @@ import { jsxs, Fragment, jsx } from "react/jsx-runtime";
 import { useState, useEffect } from "react";
 import { W as WarningAlert } from "./WarningAlert-VU011LVF.mjs";
 import { Box, Flex, Typography, Grid, Button } from "@strapi/design-system";
-import { g as getTranslation } from "./index-D45I6rWF.mjs";
-import { g as getToken } from "./tokenHelpers-DagDzpso.mjs";
+import { g as getTranslation } from "./index-C_4USMnn.mjs";
+import { g as getToken } from "./tokenHelpers-CKVyT1sz.mjs";
 import { useIntl } from "react-intl";
 const AdminReset = ({ id }) => {
   const { formatMessage } = useIntl();

package/dist/admin/{AdminReset-C0QibZXW.js → AdminReset-QClQP2Il.js} RENAMED Viewed

@@ -4,8 +4,8 @@ const jsxRuntime = require("react/jsx-runtime");
 const React = require("react");
 const WarningAlert = require("./WarningAlert-DFE5euMk.js");
 const designSystem = require("@strapi/design-system");
-const index = require("./index-BXZI8nMZ.js");
-const tokenHelpers = require("./tokenHelpers-jtoRu0q5.js");
+const index = require("./index-C9K2h5UC.js");
+const tokenHelpers = require("./tokenHelpers-B54WRTn1.js");
 const reactIntl = require("react-intl");
 const AdminReset = ({ id }) => {
   const { formatMessage } = reactIntl.useIntl();

package/dist/admin/{ProfileToggle-BFmIWCrN.js → ProfileToggle-H31GHNDA.js} RENAMED Viewed

@@ -4,10 +4,10 @@ const jsxRuntime = require("react/jsx-runtime");
 const React = require("react");
 const designSystem = require("@strapi/design-system");
 const styled = require("styled-components");
-const index = require("./index-BXZI8nMZ.js");
+const index = require("./index-C9K2h5UC.js");
 const qrcode_react = require("qrcode.react");
 const reactIntl = require("react-intl");
-const tokenHelpers = require("./tokenHelpers-jtoRu0q5.js");
+const tokenHelpers = require("./tokenHelpers-B54WRTn1.js");
 const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
 const styled__default = /* @__PURE__ */ _interopDefault(styled);
 function ConfirmModal({
@@ -124,11 +124,155 @@ function RemoveModal({ open, onOpenChange, onSubmit }) {
     ] })
   ] }) }) });
 }
+function EmailOTPModal({
+  mode,
+  open,
+  email,
+  onOpenChange,
+  onSuccess
+}) {
+  const { formatMessage } = reactIntl.useIntl();
+  const [step, setStep] = React.useState("send");
+  const [loading, setLoading] = React.useState(false);
+  const [error, setError] = React.useState(null);
+  const handleOpenChange = (nextOpen) => {
+    if (!nextOpen) {
+      setStep("send");
+      setError(null);
+    }
+    onOpenChange(nextOpen);
+  };
+  const handleSend = async () => {
+    const token = tokenHelpers.getToken();
+    setLoading(true);
+    setError(null);
+    try {
+      const endpoint = mode === "setup" ? "/strapi-identity/enable-email" : "/strapi-identity/disable-email/request";
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", authorization: `Bearer ${token}` }
+      });
+      const body = await response.json();
+      if (!response.ok) {
+        throw new Error(body.error || "Failed to send verification email");
+      }
+      setStep("confirm");
+    } catch (err) {
+      setError(err.message);
+    } finally {
+      setLoading(false);
+    }
+  };
+  const handleConfirm = async (e) => {
+    e.preventDefault();
+    const token = tokenHelpers.getToken();
+    const formData = new FormData(e.target);
+    const code = formData.get("otp");
+    setLoading(true);
+    setError(null);
+    try {
+      const endpoint = mode === "setup" ? "/strapi-identity/setup-email" : "/strapi-identity/disable";
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", authorization: `Bearer ${token}` },
+        body: JSON.stringify({ code })
+      });
+      const body = await response.json();
+      if (!response.ok) {
+        throw new Error(body.error || "Invalid or expired code");
+      }
+      handleOpenChange(false);
+      onSuccess();
+    } catch (err) {
+      setError(err.message);
+    } finally {
+      setLoading(false);
+    }
+  };
+  const title = mode === "setup" ? formatMessage({
+    id: index.getTranslation("email_otp.setup_title"),
+    defaultMessage: "Enable Email OTP"
+  }) : formatMessage({
+    id: index.getTranslation("email_otp.disable_title"),
+    defaultMessage: "Disable Email OTP"
+  });
+  return /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Root, { open, onOpenChange: handleOpenChange, children: /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Modal.Content, { children: [
+    /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Header, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Title, { children: title }) }),
+    step === "send" ? /* @__PURE__ */ jsxRuntime.jsxs(jsxRuntime.Fragment, { children: [
+      /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Body, { children: /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Flex, { direction: "column", alignItems: "center", gap: 4, marginTop: 4, marginBottom: 4, children: [
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textAlign: "center", children: mode === "setup" ? formatMessage(
+          {
+            id: index.getTranslation("email_otp.setup_description"),
+            defaultMessage: "We'll send a 6-digit verification code to {email}. Enter it to enable Email OTP."
+          },
+          { email: /* @__PURE__ */ jsxRuntime.jsx("strong", { children: email }) }
+        ) : formatMessage(
+          {
+            id: index.getTranslation("email_otp.disable_description"),
+            defaultMessage: "We'll send a 6-digit verification code to {email}. Enter it to disable Email OTP."
+          },
+          { email: /* @__PURE__ */ jsxRuntime.jsx("strong", { children: email }) }
+        ) }),
+        error ? /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { role: "alert", textColor: "danger600", textAlign: "center", children: error }) : null
+      ] }) }),
+      /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Modal.Footer, { children: [
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Close, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { variant: "tertiary", children: formatMessage({ id: "app.components.Button.cancel", defaultMessage: "Cancel" }) }) }),
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { onClick: handleSend, loading, children: formatMessage({
+          id: index.getTranslation("email_otp.send_code"),
+          defaultMessage: "Send verification email"
+        }) })
+      ] })
+    ] }) : /* @__PURE__ */ jsxRuntime.jsxs("form", { onSubmit: handleConfirm, children: [
+      /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Body, { children: /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Flex, { direction: "column", alignItems: "center", gap: 4, marginTop: 4, marginBottom: 4, children: [
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { textAlign: "center", children: formatMessage(
+          {
+            id: index.getTranslation("email_otp.confirm_description"),
+            defaultMessage: "Enter the 6-digit code sent to {email}."
+          },
+          { email: /* @__PURE__ */ jsxRuntime.jsx("strong", { children: email }) }
+        ) }),
+        /* @__PURE__ */ jsxRuntime.jsxs(index.InputOTP, { maxLength: 6, name: "otp", id: "otp", autoFocus: true, children: [
+          /* @__PURE__ */ jsxRuntime.jsxs(index.InputOTPGroup, { children: [
+            /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSlot, { index: 0 }),
+            /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSlot, { index: 1 }),
+            /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSlot, { index: 2 })
+          ] }),
+          /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSeparator, {}),
+          /* @__PURE__ */ jsxRuntime.jsxs(index.InputOTPGroup, { children: [
+            /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSlot, { index: 3 }),
+            /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSlot, { index: 4 }),
+            /* @__PURE__ */ jsxRuntime.jsx(index.InputOTPSlot, { index: 5 })
+          ] })
+        ] }),
+        error ? /* @__PURE__ */ jsxRuntime.jsx(designSystem.Typography, { role: "alert", textColor: "danger600", textAlign: "center", children: error }) : null,
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { variant: "ghost", type: "button", onClick: () => handleSend(), children: formatMessage({
+          id: index.getTranslation("email_otp.resend_code"),
+          defaultMessage: "Resend code"
+        }) })
+      ] }) }),
+      /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Modal.Footer, { children: [
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Modal.Close, { children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { variant: "tertiary", children: formatMessage({
+          id: "app.components.Button.cancel",
+          defaultMessage: "Cancel"
+        }) }) }),
+        /* @__PURE__ */ jsxRuntime.jsx(designSystem.Button, { type: "submit", loading, children: formatMessage({
+          id: "app.components.Button.confirm",
+          defaultMessage: "Confirm"
+        }) })
+      ] })
+    ] })
+  ] }) });
+}
 const ProfileToggle = () => {
   const { formatMessage } = reactIntl.useIntl();
   const [enabled, setEnabled] = React.useState(null);
+  const [mfaType, setMfaType] = React.useState(null);
   const [mfaEnabled, setMfaEnabled] = React.useState(false);
+  const [emailConfigured, setEmailConfigured] = React.useState(false);
+  const [userEmail, setUserEmail] = React.useState("");
   const [disableDialogOpen, setDisableDialogOpen] = React.useState(false);
+  const [emailSetupOpen, setEmailSetupOpen] = React.useState(false);
+  const [emailDisableOpen, setEmailDisableOpen] = React.useState(false);
   const [modalOpen, setModalOpen] = React.useState(false);
   const [uri, setUri] = React.useState(null);
   const [secret, setSecret] = React.useState(null);
@@ -140,6 +284,9 @@ const ProfileToggle = () => {
       setDisableDialogOpen(true);
       return;
     }
+    if (enable && enabled === "full" && mfaType === "email") {
+      return;
+    }
     try {
       const response = await fetch("/strapi-identity/enable", {
         method: "POST",
@@ -158,11 +305,25 @@ const ProfileToggle = () => {
       setUri(data?.uri || null);
       setSecret(data?.secret || null);
       setEnabled(enable ? "temp" : null);
+      if (enable) setMfaType("totp");
     } catch (error) {
       console.error(error);
       setEnabled(null);
     }
   };
+  const handleEmailToggle = ({ target }) => {
+    const enable = target?.checked || false;
+    if (!enable && enabled === "full" && mfaType === "email") {
+      setEmailDisableOpen(true);
+      return;
+    }
+    if (enable && enabled === "full") {
+      return;
+    }
+    if (enable) {
+      setEmailSetupOpen(true);
+    }
+  };
   const handleConfirm = async (e) => {
     e.preventDefault();
     const form = e.target;
@@ -187,6 +348,7 @@ const ProfileToggle = () => {
       setUri(null);
       setSecret(null);
       setEnabled("full");
+      setMfaType("totp");
     } catch (error) {
       console.error(error);
     }
@@ -218,6 +380,7 @@ const ProfileToggle = () => {
       setUri(null);
       setSecret(null);
       setEnabled(null);
+      setMfaType(null);
     } catch (error) {
       console.error(error);
     }
@@ -227,7 +390,7 @@ const ProfileToggle = () => {
     (async () => {
       const token = tokenHelpers.getToken();
       try {
-        const [status, enabled2] = await Promise.all([
+        const [statusRes, enabledRes, meRes] = await Promise.all([
           fetch("/strapi-identity/status", {
             method: "GET",
             headers: { "Content-Type": "application/json", authorization: `Bearer ${token}` },
@@ -237,18 +400,37 @@ const ProfileToggle = () => {
             method: "GET",
             headers: { "Content-Type": "application/json", authorization: `Bearer ${token}` },
             signal: ac.signal
+          }),
+          fetch("/admin/users/me", {
+            method: "GET",
+            headers: { "Content-Type": "application/json", authorization: `Bearer ${token}` },
+            signal: ac.signal
           })
         ]);
-        const statusBody = await status.json();
-        const enabledBody = await enabled2.json();
-        if (!status.ok) {
-          throw new Error(`${status.status} - ${statusBody.error || "Failed to set up MFA"}`);
+        const statusBody = await statusRes.json();
+        const enabledBody = await enabledRes.json();
+        if (!statusRes.ok) {
+          throw new Error(`${statusRes.status} - ${statusBody.error || "Failed to get MFA status"}`);
         }
-        if (!enabled2.ok) {
-          throw new Error(`${enabled2.status} - ${enabledBody.error || "Failed to get MFA config"}`);
+        if (!enabledRes.ok) {
+          throw new Error(`${enabledRes.status} - ${enabledBody.error || "Failed to get MFA config"}`);
         }
         setMfaEnabled(enabledBody.data);
         setEnabled(statusBody.data?.status || null);
+        setMfaType(statusBody.data?.type || null);
+        if (meRes.ok) {
+          const meBody = await meRes.json();
+          setUserEmail(meBody.data?.email || "");
+          const configRes = await fetch("/strapi-identity/config", {
+            method: "GET",
+            headers: { "Content-Type": "application/json", authorization: `Bearer ${token}` },
+            signal: ac.signal
+          });
+          if (configRes.ok) {
+            const configBody = await configRes.json();
+            setEmailConfigured(!!configBody.data?.email_enabled);
+          }
+        }
       } catch (error) {
         if (error.name === "AbortError") return;
         console.error("Failed to fetch MFA status:", error);
@@ -257,6 +439,10 @@ const ProfileToggle = () => {
     return () => ac.abort();
   }, []);
   if (!mfaEnabled) return null;
+  const totpChecked = enabled !== null && mfaType === "totp";
+  const emailChecked = enabled !== null && mfaType === "email";
+  const totpDisabled = enabled !== null && mfaType === "email";
+  const emailDisabled = enabled !== null && mfaType === "totp";
   return /* @__PURE__ */ jsxRuntime.jsxs(jsxRuntime.Fragment, { children: [
     /* @__PURE__ */ jsxRuntime.jsx(
       designSystem.Box,
@@ -279,36 +465,78 @@ const ProfileToggle = () => {
               defaultMessage: "Add an additional layer of security to your account."
             }) })
           ] }),
-          /* @__PURE__ */ jsxRuntime.jsx(designSystem.Grid.Root, { tag: "div", gap: 5, children: /* @__PURE__ */ jsxRuntime.jsx(designSystem.Grid.Item, { col: 6, s: 12, alignItems: "stretch", children: /* @__PURE__ */ jsxRuntime.jsxs(
-            designSystem.Field.Root,
-            {
-              width: "100%",
-              name: "two-factor-authentication",
-              id: "two-factor-authentication",
-              children: [
-                /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Label, { children: formatMessage({
-                  id: index.getTranslation("profile.toggle_label"),
-                  defaultMessage: "Enable Two-Factor Authentication"
-                }) }),
-                /* @__PURE__ */ jsxRuntime.jsx(
-                  designSystem.Toggle,
-                  {
-                    offLabel: formatMessage({
-                      id: "app.components.ToggleCheckbox.off-label",
-                      defaultMessage: "False"
-                    }),
-                    onLabel: formatMessage({
-                      id: "app.components.ToggleCheckbox.on-label",
-                      defaultMessage: "True"
-                    }),
-                    checked: enabled !== null,
-                    onChange: handleToggle
-                  }
-                ),
-                /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Hint, {})
-              ]
-            }
-          ) }) })
+          /* @__PURE__ */ jsxRuntime.jsxs(designSystem.Grid.Root, { tag: "div", gap: 5, children: [
+            /* @__PURE__ */ jsxRuntime.jsx(designSystem.Grid.Item, { col: 6, s: 12, alignItems: "stretch", children: /* @__PURE__ */ jsxRuntime.jsxs(
+              designSystem.Field.Root,
+              {
+                width: "100%",
+                name: "two-factor-authentication",
+                id: "two-factor-authentication",
+                hint: totpDisabled ? formatMessage({
+                  id: index.getTranslation("profile.totp_disabled_hint"),
+                  defaultMessage: "Disable Email OTP first to enable the authenticator app."
+                }) : void 0,
+                children: [
+                  /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Label, { children: formatMessage({
+                    id: index.getTranslation("profile.toggle_label"),
+                    defaultMessage: "Enable Two-Factor Authentication"
+                  }) }),
+                  /* @__PURE__ */ jsxRuntime.jsx(
+                    designSystem.Toggle,
+                    {
+                      offLabel: formatMessage({
+                        id: "app.components.ToggleCheckbox.off-label",
+                        defaultMessage: "False"
+                      }),
+                      onLabel: formatMessage({
+                        id: "app.components.ToggleCheckbox.on-label",
+                        defaultMessage: "True"
+                      }),
+                      checked: totpChecked,
+                      onChange: handleToggle,
+                      disabled: totpDisabled
+                    }
+                  ),
+                  /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Hint, {})
+                ]
+              }
+            ) }),
+            emailConfigured && /* @__PURE__ */ jsxRuntime.jsx(designSystem.Grid.Item, { col: 6, s: 12, alignItems: "stretch", children: /* @__PURE__ */ jsxRuntime.jsxs(
+              designSystem.Field.Root,
+              {
+                width: "100%",
+                name: "email-otp",
+                id: "email-otp",
+                hint: emailDisabled ? formatMessage({
+                  id: index.getTranslation("profile.email_otp_disabled_hint"),
+                  defaultMessage: "Disable the authenticator app first to enable Email OTP."
+                }) : void 0,
+                children: [
+                  /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Label, { children: formatMessage({
+                    id: index.getTranslation("profile.email_otp_label"),
+                    defaultMessage: "Enable Email OTP"
+                  }) }),
+                  /* @__PURE__ */ jsxRuntime.jsx(
+                    designSystem.Toggle,
+                    {
+                      offLabel: formatMessage({
+                        id: "app.components.ToggleCheckbox.off-label",
+                        defaultMessage: "False"
+                      }),
+                      onLabel: formatMessage({
+                        id: "app.components.ToggleCheckbox.on-label",
+                        defaultMessage: "True"
+                      }),
+                      checked: emailChecked,
+                      onChange: handleEmailToggle,
+                      disabled: emailDisabled
+                    }
+                  ),
+                  /* @__PURE__ */ jsxRuntime.jsx(designSystem.Field.Hint, {})
+                ]
+              }
+            ) })
+          ] })
         ] })
       }
     ),
@@ -330,6 +558,38 @@ const ProfileToggle = () => {
         onOpenChange: setDisableDialogOpen,
         onSubmit: handleDisable
       }
+    ),
+    /* @__PURE__ */ jsxRuntime.jsx(
+      EmailOTPModal,
+      {
+        mode: "setup",
+        open: emailSetupOpen,
+        email: userEmail,
+        onOpenChange: (open) => {
+          if (!open) setEmailSetupOpen(false);
+        },
+        onSuccess: () => {
+          setEnabled("full");
+          setMfaType("email");
+          setEmailSetupOpen(false);
+        }
+      }
+    ),
+    /* @__PURE__ */ jsxRuntime.jsx(
+      EmailOTPModal,
+      {
+        mode: "disable",
+        open: emailDisableOpen,
+        email: userEmail,
+        onOpenChange: (open) => {
+          if (!open) setEmailDisableOpen(false);
+        },
+        onSuccess: () => {
+          setEnabled(null);
+          setMfaType(null);
+          setEmailDisableOpen(false);
+        }
+      }
     )
   ] });
 };