Skip to content

Fix 2FA setup for users with no password

Luke Duncalfe requested to merge 342152-bugfix-2fa_for_users_without_password into master

What does this MR do and why?

This MR fixes a severity1 priority1 ~bug #342152 (closed) where users who authenticated with an external provider were prompted to provide a password to make changes to two-factor authentication.

The ~bug was introduced by https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1713

Screenshots or screen recordings

When current_user.password_automatically_set == false

Screenshot_2021-10-05_at_18.00.27

When current_user.password_automatically_set == true

Screenshot_2021-10-05_at_18.02.58

How to set up and validate locally

  1. As a logged in user go to /-/profile/two_factor_auth
  2. Verify that the current password field is present
  3. Verify that you need to enter a password to both enable and disable 2FA
  4. Open a rails console
  5. Find your user user = User.find(1)
  6. Update password_automatically_set user.update(password_automatically_set: true)
  7. Reload the /-/profile/two_factor_auth page
  8. Verify that the current password field is not present
  9. Verify that you do not need to enter a password to both enable and disable 2FA

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #342152 (closed)

Edited by Luke Duncalfe

Merge request reports