When role is changed to require TFA after user has logged-in skip count decreases on each page view

Created on 1 July 2025, 12 days ago

Problem/Motivation

If a user is logged in as a role that does not require TFA and an administrator changes the role to require TFA each page visit triggers a You are required to setup two-factor authentication. You have $count attempts left. After this you will be unable to login. with each page visit decreasing the count

Steps to reproduce

Login as a user with permission to configure TFA (such as a user with the Administrtor role).
Visit admin/config/people/tfa and change a role the user has to require TFA.
Save and warning (displayed as error) noted above.
Reload and notice count decreases.

Without any debugging to confirm the root cause, I suspect that inside TfaUserSetSubscriber::class when TfaLoginContext->canLoginWithoutTfa() is called we are failing to set the session as validated as documented in https://project.pages.drupalcode.org/tfa/technical/set-user-protection/ causing each request to decrease the counter.

Proposed resolution

TBD

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @cmlara

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024