Skip to content

Enforce terms acceptance before configuring 2FA

Bob Van Landuyt requested to merge bvl-terms-redirect-loop into master

What does this MR do?

This prevents a redirect loop between the terms path an the 2FA page when a user is forced to enable 2FA but hasn't yet.

This could also have happened with other requirements: Setting a new password, setting an email.

After this MR, the user will be required to accept the terms before anything else.

Flows would look like this:

User needs 2FA, but hasn't configured it yet:

  • Login using username and password
  • Accept terms
  • Configure 2FA

User has an expired password:

  • Login using username & old password
  • Accept terms
  • Set new password

User hasn't configured an email: (This could happen using OAuth)

  • Login
  • Accept terms
  • Directed to profile page to set email

I also added a spec for this flow:

User with 2FA enabled:

  • Login using username & password
  • Enter OTP
  • Accept terms

Does this MR meet the acceptance criteria?

  • Tests added for this feature/bug
  • Review
    • Has been reviewed by Backend

What are the relevant issue numbers?

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/46256

Edited by Bob Van Landuyt

Merge request reports