Refactor handling of successful two-factor phone confirmation

[mitchellhenke]

🛠 Summary of changes

A bit of a followup to #8178 and #8316 (specifically this comment) to start consolidating how we implement handle_valid_otp. We have repeated ourselves a few times with methods like mark_user_as_fully_authenticated, but there's a significant amount of phone-specific functionality now. This PR starts to separate those, and aims to eventually consolidate into handle_valid_2FA or similar since not all 2FAs have an OTP (which makes handle_valid_otp kind of misleading).

[aduth]

Just to clarify my understanding, currently this only happens for phones, but eventually we'd want this method to be called for any MFA in the confirmation context?

[mitchellhenke]

That’s my plan, yeah

[aduth]

LGTM 👍

[aduth]

Would it make sense to pull handle_valid_otp into this class? And then maybe consolidate this to a single "handle_valid_*" call?

[mitchellhenke]

session context really only exists for phone OTPs, so I'm leaning towards making the handle_valid_confirmation/handle_valid_authentication calls explicit, and the phone controller can have the conditional checks with UserSessionContext.confirmation_context?, etc.

I'm ultimately hoping this controller will be something like:

if UserSessionContext.confirmation_context?(context)
  handle_valid_confirmation_otp
  handle_valid_verification_for_confirmation
else
  handle_valid_verification_for_authentication
end

and the remaining auth controllers can call handle_valid_verification_for_confirmation / handle_valid_verification_for_authentication without using session context since the controller action should be enough to know the difference.