From e542481df8fd497f970a2fd2f02fb41a69636963 Mon Sep 17 00:00:00 2001
From: Jens Kraemer <jk@jkraemer.net>
Date: Thu, 21 May 2026 09:18:05 +0800
Subject: [PATCH] removes ignored and unnecessary scope in twofa token lookup

Token.find_token doesn't honor the prepended relation and we do check the user
in the next line.
---
 lib/redmine/twofa/base.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/redmine/twofa/base.rb b/lib/redmine/twofa/base.rb
index b22531341..ac943ca2c 100644
--- a/lib/redmine/twofa/base.rb
+++ b/lib/redmine/twofa/base.rb
@@ -112,7 +112,7 @@ module Redmine
         code = code.to_s.remove(/[[:space:]]/).downcase
         user_from_code = Token.find_active_user('twofa_backup_code', code)
         # invalidate backup code after usage
-        Token.where(user_id: @user.id).find_token('twofa_backup_code', code).try(:delete)
+        Token.find_token('twofa_backup_code', code).try(:delete)
         # make sure the user using the backup code is the same it's been issued to
         return false unless @user.present? && @user == user_from_code
 
-- 
2.54.0