Fix #4026 - Accept backup codes for disabling 2FA (#4382)

92cb451d · Eugen Rochko · GitHub · 55bee84c · 92cb451d
Commit 92cb451d authored 7 years ago by Eugen Rochko Committed by GitHub 7 years ago
--- a/app/controllers/settings/two_factor_authentications_controller.rb
+++ b/app/controllers/settings/two_factor_authentications_controller.rb
@@ -18,7 +18,7 @@ module Settings
    end

    def destroy
-      if current_user.validate_and_consume_otp!(confirmation_params[:code])
+      if acceptable_code?
        current_user.otp_required_for_login = false
        current_user.save!
        redirect_to settings_two_factor_authentication_path
@@ -38,5 +38,10 @@ module Settings
    def verify_otp_required
      redirect_to settings_two_factor_authentication_path if current_user.otp_required_for_login?
    end
+
+    def acceptable_code?
+      current_user.validate_and_consume_otp!(confirmation_params[:code]) ||
+        current_user.invalidate_otp_backup_code!(confirmation_params[:code])
+    end
  end
 end