Block ROPC when email OTP FF enabled and user's `email_otp_required_after` attribute is in the past (!211352) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

⚠️ This MR needs Block git over http, container registry when em... (!210998 - merged) merged first.

This MR takes the great work @nmalcolm started and pulls out just the blocking logic that applies to blocking ROPC when using username and password when the :email_based_mfa feature flag is set and the user's email_otp_required_after attribute is in the past.

References

https://gitlab.com/gitlab-org/gitlab/-/issues/567877+

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Nov 04, 2025 by Ash McKenzie

Block ROPC when email OTP FF enabled and user's email_otp_required_after attribute is in the past

What does this MR do and why?

References

MR acceptance checklist

Merge request reports

Block ROPC when email OTP FF enabled and user's `email_otp_required_after` attribute is in the past