fix(personal-settings): allow non-email MFA without email service

[syedmazharaliraza]

Context

Previously, enabling MFA was blocked whenever email service was not configured, even if the user selected non-email MFA methods like Mobile Authenticator (TOTP) or Passkey (WebAuthn).

This change updates the guard so email configuration is only required when the selected MFA method is Email.

Before

• Enable MFA failed when SMTP/email service was not configured.
• This failure also happened for TOTP and Passkey, which do not require email delivery.

After

• Enable MFA works without email service when selected method is:
• Mobile Authenticator (TOTP)
• Passkey (WebAuthn)
• Email service is required only when selected method is Email.

Screen recordings

Before	After
Screen.Recording.2026-04-04.at.9.36.26.PM.mov	Screen.Recording.2026-04-04.at.9.39.40.PM.mov

Steps to verify the change

1. Run the app with email service not configured.
2. Go to Personal Settings -> Authentication.
3. Try enabling MFA with method Email.
4. Confirm the email setup modal/blocking behavior still appears.
5. Switch method to Mobile Authenticator (TOTP) and enable MFA.
6. Confirm MFA enable flow proceeds (no email-config block).
7. Switch method to Passkey (WebAuthn) and enable MFA.
8. Confirm MFA enable flow proceeds (no email-config block).

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR fixes a frontend guard in MFASection.tsx that was incorrectly blocking all MFA enablement when SMTP was not configured, even for methods like TOTP and WebAuthn that don't require email delivery. The fix adds a selectedMfaMethod === MfaMethod.EMAIL condition so the email-setup modal only appears when the user specifically selects the Email MFA method.

Confidence Score: 5/5

Safe to merge — the change is a minimal, correct tightening of a frontend guard with no security implications.

Single-line logic fix with clear intent and no P0/P1 findings. The backend has no corresponding email-configuration check, confirming the restriction was purely a frontend over-guard. All three MFA method paths (Email, TOTP, WebAuthn) behave correctly after the fix.

No files require special attention.

Important Files Changed

Filename	Overview
frontend/src/pages/user/PersonalSettingsPage/components/SecuritySection/MFASection.tsx	Adds formData.selectedMfaMethod === MfaMethod.EMAIL to the email-configured guard in handleSaveChanges, correctly scoping the restriction to only block email-based MFA when SMTP is not set up.

_{Reviews (1): Last reviewed commit: "fix: allow non-email MFA without email s..." | Re-trigger Greptile}