Task "users:disable_2fa" does not disable security keys

pfaffman · February 28, 2023, 7:55pm

discourse/discourse/blob/main/lib/tasks/users.rake#L153-L159


      
          desc "Disable 2FA for user with the given username"
          task "users:disable_2fa", [:username] => [:environment] do |_, args|
            username = args[:username]
            user = find_user(username)
            UserSecondFactor.where(user_id: user.id, method: UserSecondFactor.methods[:totp]).each(&:destroy!)
            puts "2FA disabled for #{username}"
          end

If the user has security keys, they are not deleted, so the user still can’t log in.

Unless UserSecondFactor is broken somehow, which seems unlikely, the security keys also need to be deleted, something like this:

UserSecurityKey.where(user_id: user.id).destroy_all

sam · February 28, 2023, 11:30pm

Sure seems like a reasonable improvement to the task, can you send a PR?

pfaffman · March 1, 2023, 12:01am

If it were just just one line I’d have done it already, but I’ll really need to create a test or two, which is more daunting (and 4 the work!)

But maybe I can be a big boy.

Just one test that creates a 2fa key and then makes sure it gets cleared? And I guess there’s coffee to create a dummy key in the 2fa code somewhere?

pfaffman · March 8, 2023, 2:57pm

Well, it doesn’t seem that there are any specs for this take task, so it’s just the single line:

JammyDodger · March 18, 2023, 8:00am

This topic was automatically closed after 4 days. New replies are no longer allowed.

Topic		Replies	Views
Cannot disable 2FA for User Support	6	767	March 7, 2021
Can't disable 2fa Bug	6	689	September 2, 2020
2FA - do we have to do anything to enable it? Support 2fa	12	3883	January 20, 2024
Admin locked out of site after deleting two-factor keys from prefs Bug	26	2141	December 8, 2022
Confirmation dialog on admin 2FA disable button UX completed	3	35	November 8, 2024

Task "users:disable_2fa" does not disable security keys

Related topics