Add rails encryption for totp - allow configuration of encryption secrets from env, or derive them from SECRET_KEY_BASE. Don't leak email address via web_authn, rate limit web_authn, escape oidc state value, require password for changing email address, allow settings the hmac secret for token prefix generation

app/controllers/profiles_controller.rb

@@ -19,13 +19,21 @@ class ProfilesController < ApplicationController
       else
         render :show, status: :unprocessable_entity
       end
-    else
-      # Updating email
+    elsif params[:user][:email_address].present?
+      # Updating email - requires current password (security: prevents account takeover)
+      unless @user.authenticate(params[:user][:current_password])
+        @user.errors.add(:current_password, "is required to change email")
+        render :show, status: :unprocessable_entity
+        return
+      end
+
       if @user.update(email_params)
         redirect_to profile_path, notice: "Email updated successfully."
       else
         render :show, status: :unprocessable_entity
       end
+    else
+      render :show, status: :unprocessable_entity
     end
   end