Bypassing 2FA

I am not sure if this is being worked on or if it is unnoticed, but the 2FA can be bypassed.

1. I enter username, email and password here, http://127.0.0.1:2354/register and then I click Sign Up.
2. I am taken to the page http://127.0.0.1:2354/twofactor
3. I simply go to http://127.0.0.1:2354/ and I see I am logged in!

However, logging in through the http://127.0.0.1:2354/twofactorlogin page works as expected and 2FA cannot be bypassed there.

Checklist

• Make 2FA mandatory - User cannot access Logged in user functionality until verifying 2FA code.
• Test Login and Registers.
• Test Pages (when logged in)
• Test Pages (when browsing as guest)

Resources

• https://book.cakephp.org/3/en/controllers/middleware.html
• https://book.cakephp.org/3/en/development/routing.html#connecting-scoped-middleware
• https://book.cakephp.org/3/en/tutorials-and-examples/blog-auth-example/auth.html