refactor: remove SSO settings page; consolidate SSO identity management under Security settings

- Removed the `Settings::SsoIdentitiesController` and views for a simplified user experience.
- Moved SSO identity management to the Security settings page (`Settings::SecuritiesController`).
- Updated locale keys and layout for the new structure.
- Fixed unlink protection warnings and adjusted redirection path.
- Cleaned up routes, helper methods, and redundant code.

app/components/UI/account/activity_date.html.erb

@@ -6,7 +6,7 @@
           <%= check_box_tag "#{date}_entries_selection",
                           class: ["checkbox checkbox--light hidden lg:block", "lg:hidden": entries.size == 0],
                           id: "selection_entry_#{date}",
-                          data: { 
+                          data: {
                             action: "bulk-select#toggleGroupSelection",
                             checkbox_toggle_target: "selectionEntry"
                           } %>

app/components/UI/account/activity_feed.html.erb

@@ -77,7 +77,7 @@
           <div class="pl-0.5 col-span-8 flex items-center gap-4">
             <%= check_box_tag "selection_entry",
                               class: "checkbox checkbox--light hidden lg:block",
-                              data: { 
+                              data: {
                                 action: "bulk-select#togglePageSelection",
                                 checkbox_toggle_target: "selectionEntry"
                               } %>

app/controllers/settings/securities_controller.rb

@@ -6,5 +6,6 @@ class Settings::SecuritiesController < ApplicationController
       [ "Home", root_path ],
       [ "Security", nil ]
     ]
+    @oidc_identities = Current.user.oidc_identities.order(:provider)
   end
 end

app/controllers/settings/sso_identities_controller.rb

@@ -3,20 +3,12 @@
 class Settings::SsoIdentitiesController < ApplicationController
   layout "settings"
 
-  def show
-    @oidc_identities = Current.user.oidc_identities.order(:provider)
-    @breadcrumbs = [
-      [ t("settings.nav.home"), root_path ],
-      [ t(".page_title"), nil ]
-    ]
-  end
-
   def destroy
     @identity = Current.user.oidc_identities.find(params[:id])
 
     # Prevent unlinking last identity if user has no password
     if Current.user.oidc_identities.count == 1 && Current.user.password_digest.blank?
-      redirect_to settings_sso_identities_path, alert: t(".cannot_unlink_last")
+      redirect_to settings_security_path, alert: t(".cannot_unlink_last")
       return
     end
 
@@ -30,6 +22,6 @@ class Settings::SsoIdentitiesController < ApplicationController
       request: request
     )
 
-    redirect_to settings_sso_identities_path, notice: t(".success", provider: provider_name)
+    redirect_to settings_security_path, notice: t(".success", provider: provider_name)
   end
 end

app/helpers/settings_helper.rb

@@ -6,7 +6,6 @@ module SettingsHelper
     { name: "Preferences", path: :settings_preferences_path },
     { name: "Profile Info", path: :settings_profile_path },
     { name: "Security", path: :settings_security_path },
-    { name: "Connected Accounts", path: :settings_sso_identities_path, condition: :has_sso_connections? },
     { name: "Billing", path: :settings_billing_path, condition: :not_self_hosted? },
     # Transactions section
     { name: "Categories", path: :categories_path },
@@ -82,8 +81,4 @@ module SettingsHelper
     def self_hosted_and_admin?
       self_hosted? && admin_user?
     end
-
-    def has_sso_connections?
-      Current.user&.oidc_identities&.exists? || AuthConfig.sso_providers.any?
-    end
 end

app/policies/sso_provider_policy.rb

@@ -34,6 +34,10 @@ class SsoProviderPolicy < ApplicationPolicy
     update?
   end
 
+  def test_connection?
+    user&.super_admin?
+  end
+
   class Scope < ApplicationPolicy::Scope
     def resolve
       if user&.super_admin?

app/views/accounts/show/_activity.html.erb

@@ -67,7 +67,7 @@
           <div class="pl-0.5 col-span-8 flex items-center gap-4">
             <%= check_box_tag "selection_entry",
                               class: "checkbox checkbox--light hidden lg:block",
-                              data: { 
+                              data: {
                                 action: "bulk-select#togglePageSelection",
                                 checkbox_toggle_target: "selectionEntry"
                               } %>

app/views/budget_categories/_budget_category.html.erb

@@ -6,7 +6,7 @@
     <% if budget_category.initialized? %>
       <%# Category Header with Status Badge %>
       <div class="flex items-center lg:justify-between gap-2 mb-3">
-        <div class="h-9 w-9 flex-shrink-0 group-hover:scale-105 transition-all duration-300 rounded-full flex justify-center items-center" 
+        <div class="h-9 w-9 flex-shrink-0 group-hover:scale-105 transition-all duration-300 rounded-full flex justify-center items-center"
               style="
                 background-color: color-mix(in oklab, <%= budget_category.category.color %> 10%, transparent);
                 border-color: color-mix(in oklab, <%= budget_category.category.color %> 10%, transparent);

app/views/categories/_badge_mobile.html.erb

@@ -11,4 +11,4 @@
       <%= icon category.lucide_icon, size: "sm", color: "current" %>
     <% end %>
   </span>
-</div>
+</div>

app/views/entries/_entry_group.html.erb

@@ -6,7 +6,7 @@
         <%= check_box_tag "#{date}_entries_selection",
                           class: ["checkbox checkbox--light hidden lg:block", "lg:hidden": entries.size == 0],
                           id: "selection_entry_#{date}",
-                          data: { 
+                          data: {
                             action: "bulk-select#toggleGroupSelection",
                             checkbox_toggle_target: "selectionEntry"
                           } %>

app/views/import/configurations/_rule_import.html.erb

@@ -12,4 +12,3 @@
     <%= form.submit t("import.configurations.rule_import.process_button"), disabled: import.complete? %>
   <% end %>
 </div>
-

app/views/pages/dashboard/_outflows_donut.html.erb

@@ -78,7 +78,7 @@
                   action: "mouseenter->donut-chart#highlightSegment mouseleave->donut-chart#unhighlightSegment"
                 } do %>
               <div class="flex items-center gap-3 flex-1 min-w-0">
-                <div class="h-6 w-6 flex-shrink-0 group-hover:scale-105 transition-all duration-300 rounded-full flex justify-center items-center" 
+                <div class="h-6 w-6 flex-shrink-0 group-hover:scale-105 transition-all duration-300 rounded-full flex justify-center items-center"
                   style="
                     background-color: color-mix(in oklab, <%= category[:color] %> 10%, transparent);
                     border-color: color-mix(in oklab, <%= category[:color] %> 10%, transparent);

app/views/recurring_transactions/index.html.erb

@@ -2,7 +2,7 @@
   <header class="flex justify-between items-center text-primary font-medium">
     <h1 class="text-xl"><%= t("recurring_transactions.title") %></h1>
     <div class="flex items-center gap-2">
-      <% unless @family.recurring_transactions_disabled? %>        
+      <% unless @family.recurring_transactions_disabled? %>
         <%= render DS::Menu.new do |menu| %>
           <% menu.with_item(
               variant: "button",

app/views/rules/index.html.erb

@@ -117,12 +117,12 @@
         </thead>
         <tbody class="divide-y divide-gray-100">
           <% @recent_runs.each do |run| %>
-            <tr class="<%= 'bg-red-50 theme-dark:bg-red-950/30' if run.failed? %>">
+            <tr class="<%= "bg-red-50 theme-dark:bg-red-950/30" if run.failed? %>">
               <td class="px-4 py-3 text-sm text-primary whitespace-nowrap">
                 <%= run.executed_at.strftime("%b %d, %Y %I:%M %p") %>
               </td>
               <td class="px-4 py-3 text-sm text-primary text-center">
-                <span class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium <%= run.execution_type == 'manual' ? 'bg-blue-50 text-blue-700 theme-dark:bg-blue-950/30 theme-dark:text-blue-400' : 'bg-purple-50 text-purple-700 theme-dark:bg-purple-950/30 theme-dark:text-purple-400' %>">
+                <span class="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium <%= run.execution_type == "manual" ? "bg-blue-50 text-blue-700 theme-dark:bg-blue-950/30 theme-dark:text-blue-400" : "bg-purple-50 text-purple-700 theme-dark:bg-purple-950/30 theme-dark:text-purple-400" %>">
                   <%= t("rules.recent_runs.execution_types.#{run.execution_type}") %>
                 </span>
               </td>

app/views/settings/llm_usages/show.html.erb

@@ -117,7 +117,7 @@
           </thead>
           <tbody class="divide-y divide-gray-100">
             <% @llm_usages.each do |usage| %>
-              <tr class="<%= 'bg-red-50 theme-dark:bg-red-950/30' if usage.failed? %>">
+              <tr class="<%= "bg-red-50 theme-dark:bg-red-950/30" if usage.failed? %>">
                 <td class="px-4 py-3 text-sm text-primary whitespace-nowrap">
                   <%= usage.created_at.strftime("%b %d, %Y %I:%M %p") %>
                 </td>

app/views/settings/providers/show.html.erb

@@ -26,7 +26,6 @@
     </turbo-frame>
   <% end %>
 
-
   <%= settings_section title: "Enable Banking (beta)", collapsible: true, open: false do %>
     <turbo-frame id="enable_banking-providers-panel">
       <%= render "settings/providers/enable_banking_panel" %>

app/views/settings/securities/show.html.erb

@@ -44,3 +44,58 @@
     </div>
   </div>
 <% end %>
+
+<% if @oidc_identities.any? || AuthConfig.sso_providers.any? %>
+  <%= settings_section title: t(".sso_title"), subtitle: t(".sso_subtitle") do %>
+    <% if @oidc_identities.any? %>
+      <div class="space-y-2">
+        <% @oidc_identities.each do |identity| %>
+          <div class="flex items-center justify-between bg-container p-4 shadow-border-xs rounded-lg">
+            <div class="flex items-center gap-3">
+              <div class="w-9 h-9 shrink-0 bg-surface rounded-full flex items-center justify-center">
+                <%= icon identity.provider_config&.dig(:icon) || "key", class: "w-5 h-5 text-secondary" %>
+              </div>
+              <div>
+                <p class="font-medium text-primary"><%= identity.provider_config&.dig(:label) || identity.provider.titleize %></p>
+                <p class="text-sm text-secondary"><%= identity.info&.dig("email") || t(".sso_no_email") %></p>
+                <p class="text-xs text-secondary">
+                  <%= t(".sso_last_used") %>:
+                  <%= identity.last_authenticated_at&.to_fs(:short) || t(".sso_never") %>
+                </p>
+              </div>
+            </div>
+            <% if @oidc_identities.count > 1 || Current.user.password_digest.present? %>
+              <%= render DS::Button.new(
+                text: t(".sso_disconnect"),
+                variant: "outline",
+                size: "sm",
+                href: settings_sso_identity_path(identity),
+                method: :delete,
+                confirm: CustomConfirm.new(
+                  title: t(".sso_confirm_title"),
+                  body: t(".sso_confirm_body", provider: identity.provider_config&.dig(:label) || identity.provider.titleize),
+                  btn_text: t(".sso_confirm_button"),
+                  destructive: true
+                )
+              ) %>
+            <% end %>
+          </div>
+        <% end %>
+      </div>
+      <% if @oidc_identities.count == 1 && Current.user.password_digest.blank? %>
+        <div class="mt-4 p-3 bg-amber-50 border border-amber-200 rounded-lg">
+          <div class="flex items-start gap-2">
+            <%= icon "alert-triangle", class: "w-5 h-5 text-amber-600 shrink-0 mt-0.5" %>
+            <p class="text-sm text-amber-800"><%= t(".sso_warning_message") %></p>
+          </div>
+        </div>
+      <% end %>
+    <% else %>
+      <div class="text-center py-6">
+        <%= icon "link", class: "w-12 h-12 mx-auto text-secondary mb-3" %>
+        <p class="text-secondary"><%= t(".sso_no_identities") %></p>
+        <p class="text-sm text-secondary mt-2"><%= t(".sso_connect_hint") %></p>
+      </div>
+    <% end %>
+  <% end %>
+<% end %>

app/views/settings/sso_identities/show.html.erb

@@ -1,59 +0,0 @@
-<%= content_for :page_title, t(".page_title") %>
-
-<%= settings_section title: t(".identities_title"), subtitle: t(".identities_subtitle") do %>
-  <% if @oidc_identities.any? %>
-    <div class="space-y-2">
-      <% @oidc_identities.each do |identity| %>
-        <div class="flex items-center justify-between bg-container p-4 shadow-border-xs rounded-lg">
-          <div class="flex items-center gap-3">
-            <div class="w-9 h-9 shrink-0 bg-surface rounded-full flex items-center justify-center">
-              <%= icon identity.provider_config&.dig(:icon) || "key", class: "w-5 h-5 text-secondary" %>
-            </div>
-            <div>
-              <p class="font-medium text-primary"><%= identity.provider_config&.dig(:label) || identity.provider.titleize %></p>
-              <p class="text-sm text-secondary"><%= identity.info&.dig("email") || t(".no_email") %></p>
-              <p class="text-xs text-secondary">
-                <%= t(".last_used") %>:
-                <%= identity.last_authenticated_at&.to_fs(:short) || t(".never") %>
-              </p>
-            </div>
-          </div>
-          <% if @oidc_identities.count > 1 || Current.user.password_digest.present? %>
-            <%= render DS::Button.new(
-              text: t(".disconnect"),
-              variant: "outline",
-              size: "sm",
-              href: settings_sso_identity_path(identity),
-              method: :delete,
-              confirm: CustomConfirm.new(
-                title: t(".confirm_title"),
-                body: t(".confirm_body", provider: identity.provider_config&.dig(:label) || identity.provider.titleize),
-                btn_text: t(".confirm_button"),
-                destructive: true
-              )
-            ) %>
-          <% end %>
-        </div>
-      <% end %>
-    </div>
-  <% else %>
-    <div class="text-center py-6">
-      <%= icon "link", class: "w-12 h-12 mx-auto text-secondary mb-3" %>
-      <p class="text-secondary"><%= t(".no_identities") %></p>
-      <% if AuthConfig.sso_providers.any? %>
-        <p class="text-sm text-secondary mt-2"><%= t(".connect_hint") %></p>
-      <% end %>
-    </div>
-  <% end %>
-<% end %>
-
-<% if @oidc_identities.count == 1 && Current.user.password_digest.blank? %>
-  <%= settings_section title: t(".warning_title") do %>
-    <div class="p-3 bg-amber-50 border border-amber-200 rounded-lg">
-      <div class="flex items-start gap-2">
-        <%= icon "alert-triangle", class: "w-5 h-5 text-amber-600 shrink-0 mt-0.5" %>
-        <p class="text-sm text-amber-800"><%= t(".warning_message") %></p>
-      </div>
-    </div>
-  <% end %>
-<% end %>

app/views/shared/_demo_warning.html.erb

@@ -10,4 +10,3 @@
     </div>
   </div>
 </div>
-

app/views/simplefin_items/_simplefin_item.html.erb

@@ -125,8 +125,6 @@
           ) %>
         <% end %>
 
-
-
         <%= render DS::Menu.new do |menu| %>
           <% menu.with_item(
             variant: "button",
@@ -146,7 +144,6 @@
           <%= render "accounts/index/account_groups", accounts: simplefin_item.accounts %>
         <% end %>
 
-
         <%# Sync summary (collapsible)
             Prefer controller-provided map; fallback to latest sync stats so Turbo broadcasts
             can render the summary without requiring a full page refresh. %>

app/views/transactions/index.html.erb

@@ -63,7 +63,7 @@
             <div class="pl-0.5 col-span-8 flex items-center gap-4">
               <%= check_box_tag "selection_entry",
                                 class: "checkbox checkbox--light hidden lg:block",
-                                data: { 
+                                data: {
                                   action: "bulk-select#togglePageSelection",
                                   checkbox_toggle_target: "selectionEntry"
                                 } %>

config/locales/views/settings/en.yml

@@ -89,6 +89,23 @@ en:
     securities:
       show:
         page_title: Security
+        mfa_title: Two-Factor Authentication
+        mfa_description: Add an extra layer of security to your account by requiring a code from your authenticator app when signing in
+        enable_mfa: Enable 2FA
+        disable_mfa: Disable 2FA
+        disable_mfa_confirm: Are you sure you want to disable two-factor authentication?
+        sso_title: Connected Accounts
+        sso_subtitle: Manage your single sign-on account connections
+        sso_disconnect: Disconnect
+        sso_last_used: Last used
+        sso_never: Never
+        sso_no_email: No email
+        sso_no_identities: No SSO accounts connected
+        sso_connect_hint: Log out and sign in with an SSO provider to connect an account.
+        sso_confirm_title: Disconnect Account?
+        sso_confirm_body: Are you sure you want to disconnect your %{provider} account? You can reconnect it later by signing in with that provider again.
+        sso_confirm_button: Disconnect
+        sso_warning_message: This is your only login method. You should set a password in your security settings before disconnecting, otherwise you may be locked out of your account.
     settings_nav:
       accounts_label: Accounts
       advanced_section_title: Advanced

config/locales/views/settings/sso_identities/en.yml

@@ -1,22 +0,0 @@
----
-en:
-  settings:
-    sso_identities:
-      show:
-        page_title: "Connected Accounts"
-        identities_title: "SSO Connections"
-        identities_subtitle: "Manage your single sign-on account connections"
-        disconnect: "Disconnect"
-        last_used: "Last used"
-        never: "Never"
-        no_email: "No email"
-        no_identities: "No SSO accounts connected"
-        connect_hint: "Log out and sign in with an SSO provider to connect an account."
-        confirm_title: "Disconnect Account?"
-        confirm_body: "Are you sure you want to disconnect your %{provider} account? You can reconnect it later by signing in with that provider again."
-        confirm_button: "Disconnect"
-        warning_title: "Important"
-        warning_message: "This is your only login method. You should set a password in your security settings before disconnecting, otherwise you may be locked out of your account."
-      destroy:
-        success: "Successfully disconnected %{provider}"
-        cannot_unlink_last: "Cannot disconnect your only login method. Please set a password first."

config/routes.rb

@@ -91,7 +91,6 @@ Rails.application.routes.draw do
     end
     resource :billing, only: :show
     resource :security, only: :show
-    resource :sso_identities, only: :show
     resources :sso_identities, only: :destroy
     resource :api_key, only: [ :show, :new, :create, :destroy ]
     resource :ai_prompts, only: :show