Problem/Motivation
Drupal 10.5.1
Using TFA 8.x-1.11 and the TFA Email OTP Plugin 1.0.0-Beta1
When a user is configuring TFA the Email OPT setup page is displayed more than once.
Steps to reproduce
- TFA is setup with TOTP, Email OTP and recovery code plugins. TOTP is the default plugin.
- The user has registered, logs in for the first time and proceeds to setup TFA with just the Email OTP plugin.
- The Email OTP setup page is displayed and allows the use to tick/confirm "Receive authentication one-time code by email" and then "Save" or "Cancel".
- The expectation is that "Save" will save the configuration and the user can continue.
- The reality is that the SAME setup page is redisplayed now with a "Save" and a "Skip and Finish" button.
- Clicking either button seems to correctly setup the Email plugin and return to the TFA overview.
Note: I don't think there is anything wrong with the Email OPT plugin so I have posted this here as its the TFA module calling the plugin twice thats wrong.
Proposed resolution
I have stepped through the code and although far from certain as to what the intent is the issue seems to be in TfaSetupForm.php.
At line 217 the function "tfaFullSetupSteps" is called but this function gets the steps for the default TFA plugin and doesn't care what actual plugin is actually being setup.
So when using the Email OTP this function returns step/s for the TOTP plugin (assuming it is the default) and this seems to confuse things and make the TFA module show the EMail OTP setup page again.
My horrible, certainly wrong, hack was to comment out the call to tfaFullSetupSteps and replace with the following...
$steps = [$method];
This just returns the steps of the method passed into the calling function.
It seems to work for us but I'm sure its wrong really.
Remaining tasks
Please can someone who knows this code review what the intent of the "tfaFullSetupSteps" is and what it should be returning. Blindly returning steps from the default method doesn't seem right at all.