Project

General

Profile

Actions

Defect #34618

closed

Cannot sign in when both enabling two-factor authentication and changing password are required

Added by Go MAEDA about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

If a user is required to both enable two-factor authentication and change their password, the user will never be able to sign in due to a redirect loop between /my/password and /my/twofa/totp/activate/confirm.

You can reproduce the issue by the following steps:

1. Set "Two-factor authentication" (in Admin > Settings > Authentication) to "required"
2. Enable "Must change password at next logon" for a user without two-factor authentication enabled
3. Try to login with the user

Started GET "/" for 127.0.0.1 at 2021-01-23 15:51:42 +0900
Processing by WelcomeController#index as HTML
(snip)
Redirected to http://redmine-trunk.test/my/password
Filter chain halted as :check_password_change rendered or redirected
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)

Started GET "/my/password" for 127.0.0.1 at 2021-01-23 15:51:42 +0900
Processing by MyController#password as HTML
(snip)
Redirected to http://redmine-trunk.test/my/twofa/totp/activate/confirm
Filter chain halted as :check_twofa_activation rendered or redirected
Completed 302 Found in 20ms (ActiveRecord: 3.5ms)

Started GET "/my/twofa/totp/activate/confirm" for 127.0.0.1 at 2021-01-23 15:51:
42 +0900
Processing by TwofaController#activate_confirm as HTML
(snip)
Redirected to http://redmine-trunk.test/my/password
Filter chain halted as :check_password_change rendered or redirected
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)

Files

34618.patch (1.27 KB) 34618.patch Go MAEDA, 2021-01-30 08:14

Related issues

Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Actions #1

Updated by Go MAEDA about 3 years ago

  • Related to Feature #1237: Add support for two-factor authentication added
Actions #2

Updated by Go MAEDA about 3 years ago

  • Description updated (diff)
Actions #3

Updated by Go MAEDA about 3 years ago

The following change fixes the issue.

diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index a43663496..76eefe6b0 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -29,7 +29,7 @@ class TwofaController < ApplicationController

   require_sudo_mode :activate_init, :deactivate_init

-  skip_before_action :check_twofa_activation, only: [:select_scheme, :activate_init, :activate_confirm, :activate]
+  skip_before_action :check_twofa_activation, :check_password_change, only: [:select_scheme, :activate_init, :activate_confirm, :activate]

   def select_scheme
     @user = User.current
Actions #4

Updated by Hide MATSUTANI about 3 years ago

+1
This is the defect I reported to Maeda-san on twitter. Thank you for the rapid issuing.

Actions #5

Updated by Go MAEDA about 3 years ago

Attaching a patch to fix the issue.

Actions #6

Updated by Go MAEDA about 3 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix in r20734 as a part of #1237.

Actions

Also available in: Atom PDF