Skip to content

Settings

Per-user security settings — two-factor authentication, push notifications, and active sessions.

Scope

The Settings route hosts only per-user security preferences today. System-wide configuration (approval policies, integrations, currencies, cities) is on the Admin console (docs/features/admin.md). Finance-specific settings are under Finance → Settings.

Pages

  • src/pages/settings/SecuritySettings.tsx — single page mounted at /settings/security.

Route (src/App.tsx:183):

<Route path="/settings/security"
  element={<ProtectedRoute allowedRoles={['admin', 'staff', 'agent', 'customer']}>
    <SecuritySettings />
  </ProtectedRoute>} />

Open to all authenticated tiers

This is the only back-office page explicitly allowed for customer and agent roles, since 2FA and session management must be self-service for portal users too.

What's configurable

Two-Factor Authentication

Three knobs:

  1. Enable 2FA — toggle twoFactorEnabled via PATCH /auth/2fa/settings.
  2. Verification methodemail (code to the user's email) or whatsapp (code to registered phone).
  3. Fallback — during login, if the primary method fails, users can switch to the other method after 30 seconds (documented inline on the page).

Server route: src/lib/api.ts:2617 (status) / :2637 (settings).

Migration dependency

If the 2FA migration has not been applied, GET /auth/2fa/settings 404s and the page silently renders as "disabled". See the try/catch around the initial load in SecuritySettings.tsx:29.

Push Notifications

Wrapped in PushNotificationsCard (same file, line 193). Uses the usePushNotifications hook (src/hooks/usePushNotifications.ts).

  • Per-device subscription — enabling on laptop A does not enable on phone B.
  • Delivers: booking approval pings, finance decisions, visa status changes.
  • Blocked when permission === 'denied' — user must re-allow in browser settings.

Backend push delivery is done by the push-send Supabase Edge Function (invoked from src/pages/communications/Communications.tsx:72). VAPID keys are stored in Supabase secrets.

Active Sessions

Rendered by ActiveSessionsPanel (src/components/account/ActiveSessionsPanel.tsx). Lists currently-authenticated sessions and lets the user revoke them individually or all-at-once.

Permissions

Action Permission Enforcement
View /settings/security None beyond login Route uses allowedRoles, not a matrix permission
Toggle own 2FA Owner-scoped (user on their own record) Server checks auth.uid() === target user
Subscribe / unsubscribe push Owner-scoped Same
Revoke own session Owner-scoped Same

No settings.view permission

There is no per-module settings permission today. Add one only if we surface cross-tenant settings in the future.

  • Admin integration toggles (email, WhatsApp, SMS) → docs/features/admin.md.
  • Finance settings (GST, invoice numbering, period locks) → docs/features/finance/index.md.