Fix webauth device removal
What does this MR do and why?
As described in the related issue, now, when a user removes their last WebAuthn device, the backup codes are not removed even if it was their last two-factor auth method.
This MR fixes this and when a user removes their WebAuthn device, it checks if it is their last two-factor auth method. If it is, it calls the TwoFactor::DestroyService
, which disables two-factor auth, including the backup codes removal. If it is not the last two-factor auth method, no change to the workflow.
How to set up and validate locally
Prerequisites
- Enable the following feature flag:
Feature.enable(:webauthn_without_totp)
Before every test
- Go to Manage two-factor authentication, eg.
https://gdk.test:3443/-/profile/two_factor_auth
- Delete all registered authenticators
- Register a WebAuthn device
- User is redirected to see the recovery codes
Check the auth codes are removed when you remove last two-factor authenticator
- Delete the registered device
- Register a new authenticator
- After this change, you should be redirected to see the recovery codes
- You can also check in the console using
u = User.find_by(username: 'YOUR_USERNAME')
u.otp_backup_codes
Check the auth codes are not removed when you remove one of more two-factor authenticators
- Register another two-factor auth method
- Delete the registered device
- Register a new authenticator
- After this change, you should not be redirected to see the recovery codes
- You can also check in the console using
u = User.find_by(username: 'YOUR_USERNAME')
u.otp_backup_codes
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #393421 (closed)
Edited by Jarka Košanová