Definition
Re-authentication (or step-up authentication) is the pattern of asking a user to prove their identity a second time, using a different factor, specifically for sensitive operations. A user may already be signed in with a valid session - that's enough to view data - but cancelling a subscription, deleting a resource, or changing security settings requires an additional, fresh credential.
The goal is to reduce the blast radius of a compromised session cookie. Cookie theft via XSS, malware, or stolen device is realistic even on well-designed apps. Step-up auth turns "full account access" into "read-only access" for the class of attacker who has the cookie but not ongoing access to the email inbox or authenticator.
The re-auth factor should be (a) fresh (not reusable across sessions), (b) short-lived (5-10 minutes typical), (c) tied to the specific action being authorized, and (d) sourced from a channel different from the session itself (email or SMS to a pre-registered destination, TOTP code, hardware key).
How SheetLinkWP relates to Re-authentication
SheetLinkWP's portal requires re-authentication for every destructive action: cancel addon, cancel MRR plan, deactivate client site, disable 2FA, change IP lock mode, add or rotate a subscription-change webhook.
The flow: the user clicks a destructive button. The portal emails a 6-digit code to their account address and prompts them to enter it. On success, the backend issues a single-use reauthToken tied to the current session (5-minute TTL). The frontend attaches the token to the destructive request body; the backend consumes and deletes it on success. Even if an attacker has the session cookie, without the email code they cannot perform any of these actions.
Rate-limited to 5 code-send requests per session per hour and 10 code-entry attempts per session per hour.