2FA doesn't seems to be mandatory even with "Require all users in this group to setup Two-factor authentication" enabled
Summary
When Require all users in this group to setup Two-factor authentication
option is enabled for a group and a grace period is used, if that grace period is later reduced or set to 0, users that skipped enabling two factor earlier will not be required to do so until the original grace period expires.
Steps to reproduce
- Create a new group
- Enable the
Require all users in this group to setup Two-factor authentication
option from the group's general settings - Set the grace period to a non-zero value
- Add a user to the group that does not have 2FA enabled.
- Observe the user is requested to enable 2FA, but is given a grace period.
- Skip configuring 2FA.
- Go back and change the grace period to 0.
- Observe that the user is not force (nor requested) to enable 2FA, unless the user signs out and back in, or until the original period expires.
Possible solution
The problem lies in the EnforcesTwoFactorAuthentication
class. #check_two_factor_requirement
is called, which checks whether to skip 2FA. However, neither the conditional in #check_two_factor_requirement
nor the #skip_two_factor?
method calls #two_factor_skippable?
.
A solution for this would be to add to the #skip_two_factor
method as follows:
def skip_two_factor?
two_factor_skippable? && session[:skip_two_factor] && session[:skip_two_factor] > Time.current
end
Edited by Drew Blessing