If I login one time, I am presented with the TFA dialog. If I do not enter anything but try to login a second time, I am again presented the dialog, but I am logged as well. TFA is bypassed the second time logging in.
This issue seems to occur as a combination of:
core 7.69
tfa 7.x-2.0
tfa_basic 7.x-1.1
tfa_basic_self_setup 7.x-1.x-dev
0. As a user with TFA configured on my account
1. Login one time, do not enter anything in the TFA dialog
2. Go back to the main page and attempt to login again
Expected results: get the TFA dialog again
Actual results: I am logged in
1. Enable 2fa and tfa_basic_self_setup modules
2. As a user with 2FA enabled, attempt to log-in but do the following:
a. Leave the 2FA code field blank, click "Can't access your account?"
b. hit the browser back button twice
1.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.