pub async fn disable_mfa(
db: &Db,
target_user_id: i64,
) -> Result<DisableMfaOutcome>Expand description
Clear every MFA column on the target user, delete every backup- code row, revoke every session for the user.
Session-revocation scope. DESIGN_R4_EMERGENCY.md §7 calls
for revoking only sessions with trust_level = 'mfa_verified'
(other sessions stay valid). The current SessionTarget enum
has no trust-level filter; rather than introduce a new variant
in commit #3, this function revokes ALL of the target’s sessions
via SessionTarget::User. The over-broad revoke is conservative
— every revoked session forces a fresh login that picks up the
post-disable MFA state cleanly. A future
SessionTarget::UserWithTrustLevel variant could narrow this
without changing the function’s caller contract.
Atomic: the column clear + backup-code DELETE land in one transaction. Session revocation runs after commit.