Fix 2FA setup for users with no password
What does this MR do and why?
This MR fixes a severity1 priority1 ~bug #342152 (closed) where users who authenticated with an external provider were prompted to provide a password to make changes to two-factor authentication.
The ~bug was introduced by https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1713
Screenshots or screen recordings
current_user.password_automatically_set == false
When
current_user.password_automatically_set == true
When
How to set up and validate locally
- As a logged in user go to
/-/profile/two_factor_auth
- Verify that the current password field is present
- Verify that you need to enter a password to both enable and disable 2FA
- Open a
rails console
- Find your user
user = User.find(1)
- Update password_automatically_set
user.update(password_automatically_set: true)
- Reload the
/-/profile/two_factor_auth
page - Verify that the current password field is not present
- Verify that you do not need to enter a password to both enable and disable 2FA
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #342152 (closed)
Edited by Luke Duncalfe