Defect #34618

Updated by Go MAEDA about 1 year ago

If a user is required to both enable two-factor authentication and change their password, the user will never be able to sign in due to a redirect loop between /my/password and /my/twofa/totp/activate/confirm.

You can reproduce the issue by the following steps:

1. Set "Two-factor authentication" (in Admin > Settings > Authentication) to "required"
2. Enable "Must change password at next logon" for a user without two-factor authentication enabled
3. Try to login with the user

<pre>
Started GET "/" for 127.0.0.1 at 2021-01-23 15:51:42 +0900
Processing by WelcomeController#index as HTML
(snip)
Redirected to http://redmine-trunk.test/my/password
Filter chain halted as :check_password_change rendered or redirected
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)

Started GET "/my/password" for 127.0.0.1 at 2021-01-23 15:51:42 +0900
Processing by MyController#password as HTML
(snip)
Redirected to http://redmine-trunk.test/my/twofa/totp/activate/confirm
Filter chain halted as :check_twofa_activation rendered or redirected
Completed 302 Found in 20ms (ActiveRecord: 3.5ms)

Started GET "/my/twofa/totp/activate/confirm" for 127.0.0.1 at 2021-01-23 15:51:
42 +0900
Processing by TwofaController#activate_confirm as HTML
(snip)
Redirected to http://redmine-trunk.test/my/password
Filter chain halted as :check_password_change rendered or redirected
Completed 302 Found in 7ms (ActiveRecord: 1.7ms)
</pre>

Back