BUG: fix 2FA being enable-able without confirmation #374
Description
Patrick stumbled across a bug in 2FA flow:
It seems you’re able to enable 2fa without number/email confirmation if I’ve started the recovery link method setup (email/phone). Confirmation isn’t required, only that you’ve sent a recovery link w code. I think it’s not checking for a “confirmed” recovery method before deploying the multisig contract in the contract helper.
Discovered that the response in the 2fa flow from the contract helper was hard-coded to confirmed: true even if the matched 2fa method was not yet actually confirmed (still has securityCode value)