Implementation of two factor authentication is tricky
After some work with 2FA, we agreed with @rymai and @DouweM that current two factor authentication in SessionsController
is a bit tricky, and it may be good idea to refactor it a bit.
Currently we have most of the implementation in SessionsController
, but we also have AuthenticatesWithTwoFactor
concern, that currently holds only one method.
Implementation is tricky because it is difficult to conclude how we search for user in each of three authentication stages, and it may also cause security issues (see https://gitlab.com/gitlab-org/gitlab-ce/issues/14900 and https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1947).
Edited by 🤖 GitLab Bot 🤖