Skip to content

Fix webauth device removal

Jarka Košanová requested to merge 393421-webauth-reset-codes into master

What does this MR do and why?

As described in the related issue, now, when a user removes their last WebAuthn device, the backup codes are not removed even if it was their last two-factor auth method.

This MR fixes this and when a user removes their WebAuthn device, it checks if it is their last two-factor auth method. If it is, it calls the TwoFactor::DestroyService, which disables two-factor auth, including the backup codes removal. If it is not the last two-factor auth method, no change to the workflow.

How to set up and validate locally

Prerequisites

  1. Enable the following feature flag: Feature.enable(:webauthn_without_totp)

Before every test

  1. Go to Manage two-factor authentication, eg. https://gdk.test:3443/-/profile/two_factor_auth
  2. Delete all registered authenticators
  3. Register a WebAuthn device
  4. User is redirected to see the recovery codes

Check the auth codes are removed when you remove last two-factor authenticator

  1. Delete the registered device
  2. Register a new authenticator
  3. After this change, you should be redirected to see the recovery codes
  4. You can also check in the console using
u = User.find_by(username: 'YOUR_USERNAME')
u.otp_backup_codes

Check the auth codes are not removed when you remove one of more two-factor authenticators

  1. Register another two-factor auth method
  2. Delete the registered device
  3. Register a new authenticator
  4. After this change, you should not be redirected to see the recovery codes
  5. You can also check in the console using
u = User.find_by(username: 'YOUR_USERNAME')
u.otp_backup_codes

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #393421 (closed)

Edited by Jarka Košanová

Merge request reports

Loading