Remove OTP from being required before WebAuthn Device is registered
What does this MR do and why?
Related to #378844 (closed)
This is the first set of backend changes for #378844 (closed). This MR removes the requirement that Time-based OTP need to enabled for Webauthn to work.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- In rails console, run:
Feature.enable(:webauthn_without_totp)
- Visit https://gdk.test:3443/-/profile/two_factor_auth and click on "Set up new device"
- Register webauthn device
- Save backup codes / click "Proceed"
- Webauthn registration success message should be shown on page
- Visiting https://gdk.test:3443/-/profile/two_factor_auth should show your registered Webauthn device
- Sign out of GitLab and back in, Webauthn validation should be required in login flow and allow you to complete login.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Aboobacker MK