Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rest API shows backup codes enabled when TOTP disabled #158

Closed
iandunn opened this issue May 11, 2023 · 0 comments · Fixed by #164
Closed

Rest API shows backup codes enabled when TOTP disabled #158

iandunn opened this issue May 11, 2023 · 0 comments · Fixed by #164
Assignees
@iandunn
Milestone
Iteration 1

Comments

@iandunn
Copy link
Member

iandunn commented May 11, 2023
edited
Loading

Backup codes should be disabled when TOTP is disabled, per #75. The 2fa_available_providers field will include Backup Codes even when it should be disabled, though.

  1. Enable TOTP and backup codes
  2. Disable TOTP

That problem is made a bit more obvious by #157 and #161 (comment). When TOTP/WebAuthn is disabled, our custom UI should show the Please enable Two-Factor Authentication before enabling backup codes message in the Backup Codes card, but it currently doesn't. The Your account has elevated privileges... message should also be shown when TOTP/WebAuthn are disabled, but it isn't.

The potential problem was touched on briefly in #75 (comment), but I don't think we had a tangible problem until now. IIRC, switching to two_factor_enabled_providers_for_user should solve this issue while preserving the intent of #75
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iandunn iandunn

Labels
None yet
Projects
None yet
Milestone
Iteration 1
Development

Successfully merging a pull request may close this issue.

Require an "ordinary" provider to use Backup Codes WordPress/wporg-two-factor
1 participant
@iandunn