Enforce terms acceptance before configuring 2FA
What does this MR do?
This prevents a redirect loop between the terms path an the 2FA page when a user is forced to enable 2FA but hasn't yet.
This could also have happened with other requirements: Setting a new password, setting an email.
After this MR, the user will be required to accept the terms before anything else.
Flows would look like this:
User needs 2FA, but hasn't configured it yet:
- Login using username and password
- Accept terms
- Configure 2FA
User has an expired password:
- Login using username & old password
- Accept terms
- Set new password
User hasn't configured an email: (This could happen using OAuth)
- Login
- Accept terms
- Directed to profile page to set email
I also added a spec for this flow:
User with 2FA enabled:
- Login using username & password
- Enter OTP
- Accept terms
Does this MR meet the acceptance criteria?
-
Tests added for this feature/bug - Review
-
Has been reviewed by Backend
-
What are the relevant issue numbers?
Edited by Bob Van Landuyt