Defect #34618

Cannot sign in when both enabling two-factor authentication and changing password are required

Added by Go MAEDA 10 months ago. Updated 10 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:Fixed Affected version:

Description

If a user is required to both enable two-factor authentication and change their password, the user will never be able to sign in due to a redirect loop between /my/password and /my/twofa/totp/activate/confirm.

You can reproduce the issue by the following steps:

1. Set "Two-factor authentication" (in Admin > Settings > Authentication) to "required"
2. Enable "Must change password at next logon" for a user without two-factor authentication enabled
3. Try to login with the user

Started GET "/" for 127.0.0.1 at 2021-01-23 15:51:42 +0900
Processing by WelcomeController#index as HTML
(snip)
Redirected to http://redmine-trunk.test/my/password
Filter chain halted as :check_password_change rendered or redirected
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)

Started GET "/my/password" for 127.0.0.1 at 2021-01-23 15:51:42 +0900
Processing by MyController#password as HTML
(snip)
Redirected to http://redmine-trunk.test/my/twofa/totp/activate/confirm
Filter chain halted as :check_twofa_activation rendered or redirected
Completed 302 Found in 20ms (ActiveRecord: 3.5ms)

Started GET "/my/twofa/totp/activate/confirm" for 127.0.0.1 at 2021-01-23 15:51:
42 +0900
Processing by TwofaController#activate_confirm as HTML
(snip)
Redirected to http://redmine-trunk.test/my/password
Filter chain halted as :check_password_change rendered or redirected
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)

34618.patch Magnifier (1.27 KB) Go MAEDA, 2021-01-30 08:14


Related issues

Related to Redmine - Feature #1237: Add support for two-factor authentication Closed 2008-05-14

Associated revisions

Revision 20734
Added by Go MAEDA 10 months ago

Fix redirect loop when both enabling two-factor authentication and changing password are required (#1237, #34618).

Patch by Go MAEDA.

History

#1 Updated by Go MAEDA 10 months ago

  • Related to Feature #1237: Add support for two-factor authentication added

#2 Updated by Go MAEDA 10 months ago

  • Description updated (diff)

#3 Updated by Go MAEDA 10 months ago

The following change fixes the issue.

diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index a43663496..76eefe6b0 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -29,7 +29,7 @@ class TwofaController < ApplicationController

   require_sudo_mode :activate_init, :deactivate_init

-  skip_before_action :check_twofa_activation, only: [:select_scheme, :activate_init, :activate_confirm, :activate]
+  skip_before_action :check_twofa_activation, :check_password_change, only: [:select_scheme, :activate_init, :activate_confirm, :activate]

   def select_scheme
     @user = User.current

#4 Updated by Hide MATSUTANI 10 months ago

+1
This is the defect I reported to Maeda-san on twitter. Thank you for the rapid issuing.

#5 Updated by Go MAEDA 10 months ago

Attaching a patch to fix the issue.

#6 Updated by Go MAEDA 10 months ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix in r20734 as a part of #1237.

Also available in: Atom PDF