Better handle 2FA setup depending on authentication state #1

New issue

Open

opened 2025-10-31 08:47:49 +00:00 by arne · 0 comments

arne commented 2025-10-31 08:47:49 +00:00

Owner

Copy link

Currently the /2fa/setup route is always accessible, regardless of whether the user is logged in or not, and regardless of whether they have 2fa set up or not.

When not logged in we should either redirect to login, and show a flash message there, or render a view with a message and with a link back to login.

If the user has 2fa set up already, then I think you typically need to remove 2fa first before you can replace it, which means first confirming 2fa or a backup code.

Currently the `/2fa/setup` route is always accessible, regardless of whether the user is logged in or not, and regardless of whether they have 2fa set up or not. When not logged in we should either redirect to login, and show a flash message there, or render a view with a message and with a link back to login. If the user has 2fa set up already, then I think you typically need to remove 2fa first before you can replace it, which means first confirming 2fa or a backup code.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

laurence/issue-5

arne/test-infra

No results found.

Labels

Clear labels   

bug

A defect that needs fixing

  

small

Little things that can be fixed trivially, best to batch these up

No labels

bug

small

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

gaiwan/Oak#1

No description provided.