Self-service password reset not working when tfa is enabled

I was facing this same issue for reset password workflow, Have implemented this solution to bypass the TFA for reset password screen.

Note: If you are implementing this then drupal user can bypass the TFA auth by using the reset password feature.

Until a 7.x branch maintainer reviews this issue I would advise against using patch #10.

I'm not a D7 branch maintainer however I'm 'hiding' Patch #10 based on the following initial analysis:

• Bypassing TFA for Password Reset is a security vulnerability, see SA-CONTRIB-2023-030 → ,
• The patch checks for a user supplied header that can easily be spoofed by an attacker. On initial glance this appears to allow an attacker to bypass TFA at will.

Thanks all for working on this.

Re #7: I have tested this with only TFA + TFA Basic enabled with an account configured with TOTP and after I have clicked the one-time login link and tried to login, I was redirected to the TFA code form. When entered successfully, then I was redirected correctly to the user edit form, where I was able to change the password. So maybe I am missing something, but it seems like this is a problem only in combination with another TFA contrib module?

Also this basic scenario seems to work on drupal.org as well - if you have TFA enabled and you request a password reset link, you need to enter TFA code and then you are able to reset password without any problems.

Can you please provide more information how to simulate this issue without TFA Duo? And if it is present only with TFA Duo, what are the reasons to consider this a bug in TFA instead of TFA Duo?

Re #10: The patch is wrong and we are not going to commit such patch which is going to bypass TFA form while resetting the password. You need to enter the TFA code, otherwise the TFA module will be useless.

Thanks!