Defect #35417 » 2fa-session-reset.patch
| app/controllers/twofa_controller.rb | ||
|---|---|---|
| 47 | 47 | |
| 48 | 48 |
def activate |
| 49 | 49 |
if @twofa.confirm_pairing!(params[:twofa_code].to_s) |
| 50 |
# The session token was destroyed by the twofa pairing, generate a new one |
|
| 51 |
session[:tk] = @user.generate_session_token |
|
| 50 | 52 |
flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path)
|
| 51 | 53 |
redirect_to my_account_path |
| 52 | 54 |
else |
| app/models/user.rb | ||
|---|---|---|
| 916 | 916 |
# This helps to keep the account secure in case the associated email account |
| 917 | 917 |
# was compromised. |
| 918 | 918 |
def destroy_tokens |
| 919 |
if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) |
|
| 919 |
if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) || (saved_change_to_twofa_scheme? && twofa_scheme.present?)
|
|
| 920 | 920 |
tokens = ['recovery', 'autologin', 'session'] |
| 921 | 921 |
Token.where(:user_id => id, :action => tokens).delete_all |
| 922 | 922 |
end |