Skip to content

Remove `vue_2fa_recovery_codes` feature flag

Peter Hegman requested to merge 290113-feature-flag-rollout-of-vue_2fa_recovery_codes into master

What does this MR do?

Remove vue_2fa_recovery_codes feature flag that was introduced in !49078 (merged) and defaulted to on in !49493 (merged)

Local testing

  1. Navigate to /-/profile/account
  2. Click "Enable two-factor authentication"
  3. Open up 1Password
  4. Click + icon and then "Login"
  5. Create a new "One-Time Password" section
    • Screen_Shot_2020-12-03_at_11.33.49_AM
  6. Click the QR icon left of the dropdown that was just used
  7. Drag the QR window over the QR code
  8. Paste the OTP in the "Pin code" field and click "Register with two-factor app"

Lock yourself out of GDK by accident?

No need to panic

  1. bin/rails console
  2. user = User.find(1) (or whatever ID your user is, default admin is 1)
  3. TwoFactor::DestroyService.new(user, user: user).execute

Screenshots (strongly suggested)

No visual changes, screenshot below for context

(not real recovery codes)

Old view (before vue_2fa_recovery_codes was introduced) New view
Screen_Shot_2020-12-03_at_11.50.21_AM Screen_Shot_2020-12-03_at_11.45.22_AM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #290113 (closed)

Edited by Peter Hegman

Merge request reports