---
title: Re-authenticate Before Critical Changes
impact: MEDIUM
impactDescription: prevents unauthorized critical operations
tags: authentication, critical, reauthentication, security
---

## Re-authenticate Before Critical Changes

Critical actions like password change, email change, or account deletion require fresh authentication.

**Incorrect (no re-authentication):**

```go
// Dangerous - no password confirmation
func DeleteAccountHandler(w http.ResponseWriter, r *http.Request) {
    userID := r.Context().Value("userID").(string)
    deleteAccount(userID)
    w.Write([]byte(`{"success": true}`))
}
```

**Correct (require password confirmation):**

```go
func DeleteAccountHandler(w http.ResponseWriter, r *http.Request) {
    userID := r.Context().Value("userID").(string)
    currentPassword := r.FormValue("password")
    
    // 1. Verify current password
    if !verifyPassword(userID, currentPassword) {
        http.Error(w, "Invalid password", 401)
        return
    }
    
    // 2. Perform critical action
    deleteAccount(userID)
    
    // 3. Log the security event
    slog.Info("Account deleted", "user_id", userID)
    
    w.Write([]byte(`{"success": true}`))
}
```

**Critical actions requiring re-auth:**
- Password change
- Email change
- Phone number change
- Account deletion
- Major security settings changes

**Tools:** Manual Review, Security Audit
