Deletion of a 2FA in the middle of an authentication flow is not taken into account
Affected version
Version: 2.17.1
Summary
- As user, register a 2FA
- As user, go to portal, login with your 1st factor, and choose your 2FA
- You are prompted to enter a code or complete the webauthn challenge, and you have $sfTimeout seconds to do it (can be several minutes)
- As an admin, delete the 2FA for this user
- As a user, complete the 2FA challenge successfully
❌
Possible fixes
This is caused by the fact that _2fdevices
is copied into the user's session, and stored as a OneTimeToken during the 2FA flow. Despite the 2FA being removed by the admin, it still exists in the OneTimeToken.
I think we should update the _2fDevices
array when the 2FA challenge is completed to make sure the selected device still exists.