- πΊπΈUnited States cmlara
Closing this issue as it appears to only occur with the patch from #2923025: Allow user to setup TFA when they are locked out of their account β which was decided not to be implemented.
When a user logs in and is prompted to set up TFA, having exhausted all of their login attempts, the user is not logged in, but is redirected to tfa/locked/UID/HASH, where the situation is explained. A "Set up application" link is provided for the user. When the user clicks this link, the user is directed to a password form, to authenticate prior to setting up TFA. When providing a password and clicking "Confirm", the user is given a 404, regardless of whether or not the password is correct.
Fix the issue by correcting form validation logic, making sure to check the password before giving a 404 error.
To be more specific, the validation for the form in tfa/src/Form/BasicSetup.php (BasicSetup->validateForm) checks for whether the account UID matches the current user's UID. This logic won't work as the current user hasn't been logged in yet. We can't allow the user to be logged in because we have to force TFA authentication setup (there are 0 login attempts left). Since the user is not logged in, the current user's UID is 0 (anonymous). This effectively prevents non admin users from ever setting up their TFA when there are 0 login attempts left.
Provide patch, test, merge.
None
N/A
N/A
N/A
Closed: works as designed
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Closing this issue as it appears to only occur with the patch from #2923025: Allow user to setup TFA when they are locked out of their account β which was decided not to be implemented.