2FA Recovery Codes can be used more than once
Summary
2FA Recovery Codes can be used more than once when used with an oauth application. If user is signed in/created via oauth application 2FA recovery codes are never invalidated and can be used repeatedly.
Steps to reproduce
- Register New user/Sign in with Oauth Application (reproduced with Github and Google)
- Visit User profile settings (/profile/account) and enable 2FA
- Copy Recovery Codes and select one
- Sign Out/Sign Back in (Google/GitHub)
- Use selected recovery code (successfully login in)
- Sign Out/Sign Back in (Google/GitHub)
- Use same recovery code used in previous steps
Recovery code can always be used to successfully log in.
What is the expected correct behavior?
Recovery code should only be available for use once
Reproduced on gitlab.com