Comment 11 for bug 1371655

So here are the options I can imagine off the top of my head (spoiler alert, #4 is my vote):

1) Always ask for a code, if AccountsService doesn't ask us to authenticate, just don't use the given code. This is bad because if the user entered the wrong code, things will still work. And the user will be left wondering if we do any security at all.

2) We could always authenticate directly via policykit on our side before asking AccountsService to change the password type. This would be a duplication of authentication effort and code on our end. So not ideal.

3) We could ship an override for AccountsService/policykit so that it won't keep authentication tokens around for these actions. That's a big system-wide hammer for this local problem, so I'd prefer not to muck with such configuration.

4) We could ask policykit to revoke our authentication after completing any interaction with AccountsService. I've never used that API before, but I *think* that would be the same thing as #3 but just for us. This is my vote, assuming it works like I think it does.