Step-Up Codes
Three irreversible actions in the club admin panel require a 6-digit code emailed to your registered admin address before they execute. This protects against accidents (mis-clicks, shared logins) and against an attacker who has briefly stolen a session.
Which actions trigger a code
| Action | Where |
|---|---|
| Delete a round (and all its slot assignments) | Rounds tab → trash icon on a round card |
| Delete all shifts in a round | Shifts tab → "Delete all" button when filtered to a round |
| Delete all contacts | Contacts tab → "Delete all contacts" button |
Plenty of other actions (delete one shift, send invite, remove an admin) just use a confirm modal with no email code; only the bulk-delete actions need step-up.
What you'll see
- Click the destructive button. A red modal appears explaining what's about to happen.
- Type the literal word
DELETE(or the round/club name) into the box. The Continue button enables. - Click Continue. The modal switches to "We sent a code to ad@yourdomain.com*".
- Check your email inbox. Subject is
<6 digits> is your confirmation code. Open it. - Type the 6 digits into the modal's code field. Click Confirm.
- The action runs.
Code lifecycle
- 6 digits, random.
- Stored in the database as a SHA-256 hash; the plain code only exists in your email.
- Valid for 5 minutes from issuance.
- Single use: once you've used it, replaying the same code is rejected.
- Bound to one action and one target: a code issued for "delete round 12" cannot be reused for "delete round 13" or "delete all contacts", even if it hasn't expired.
- Rate limited to 5 codes per session per 5 minutes (so an attacker can't request unlimited codes).
Master admin bypass
If you logged in with the master password (or via Cloudflare Access SSO at /admin), step-up codes are skipped. Master admins are already gated by SSO at the entry point; adding a second factor would just add friction without raising the security floor.
What if the email doesn't arrive
- Check spam.
- Confirm the email address shown in the modal (
ad***@yourdomain.com) is one you actually own. If not, log out: someone else may have a session as you. - Check the Email Setup tab and confirm SPF/DKIM are green; if your sending domain isn't verified, the code email may bounce.
- Code emails go via the system sender (
rosters@ngit.com.au) by default, so even unverified clubs should receive them. Whitelist that address. - Wait one minute and click "Resend code" in the modal. Each session can issue up to 5 codes per 5 minutes.
What if I mis-type the code
The modal shows "Confirmation code missing or invalid" and stays open. Re-type. The code you have is still valid until either expiry or 5 attempts have been made (whichever comes first).
If you've fully exhausted attempts or expiry, close the modal and start the destructive action again to issue a fresh code.
Why not require codes on every change
The cost-benefit doesn't work for low-impact actions. A wrong toggle on the accent colour is recoverable in 10 seconds; a wrong "delete all contacts" loses every email in your CRM. Step-up applies where the consequences are irreversible at scale.