Users Without 2FA cannot reactivate themselves

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Original Issue

We run a self-hosted GitLab Ultimate server (17.3.1), and have enabled the flag to automatically deactivate users after 90 days. We also mandate 2FA, but give a grace period to users.

If a user has "started" their 2FA grace and it expires (thus requiring 2FA to be set up on next login); then they wait around so long that their account deactivates, they get into a stuck loop. Trying to log in gives them the error message "Your account has been deactivated by your administrator. Please log back in to reactivate your account.".

Of course, logging in was the action they took to get the error message, so this is unhelpful.

My best guess is that the user is redirected to the 2FA setup page before the deactivation flag clears; then that page detects the deactivated status and redirects back to the login page. Just guessing, though, not seen in code.

Summary

Users on a self-hosted GitLab Ultimate server (v17.3.1) with a 2FA grace period and automatic deactivation after a set number of inactive days are unable to log in if they skip setting up 2FA and their account is subsequently deactivated.

Upon trying to log in after deactivation, they encounter a loop where they are redirected back to the login page with an error message:

"Your account has been deactivated by your administrator. Please log back in to reactivate your account."

Steps to Reproduce

1. Configure GitLab to automatically deactivate accounts after 90 days of inactivity
2. Enforce 2FA with a grace period, e.g., 30 days
3. Allow a user to log in, but do not set up FA within the grace period
4. The user does not log in again until after the 90-day deactivation period
5. The user attempts to log in after their account has been deactivated

What is the Current Bug Behaviour?

• When the user attempts to log in, they encounter the message: "Your account has been deactivated by your administrator. Please log back in to reactivate your account."
• The account does not reactivate, and the user cannot proceed to the 2FA setup page as expected.
• This results in a loop where the user is redirected back to the login page, preventing access to their account or the ability to set up 2FA.

What is the Expected Correct Behaviour?

• Upon login, the user’s account should reactivate, allowing access to the 2FA setup page as documented in GitLab's enforcement of 2FA for all users.
• The user should be restricted to the 2FA setup page until they complete the setup, without encountering the deactivation message or being redirected back to the login page.