Skip to content

[6.x] Require 2FA/passkey verification after password reset#14449

Closed
jasonvarga wants to merge 3 commits into6.xfrom
reset-password-2fa
Closed

[6.x] Require 2FA/passkey verification after password reset#14449
jasonvarga wants to merge 3 commits into6.xfrom
reset-password-2fa

Conversation

@jasonvarga
Copy link
Copy Markdown
Member

@jasonvarga jasonvarga commented Apr 7, 2026

Summary

  • Prevent auto-login after password reset when the user has 2FA enabled. Instead, redirect to the 2FA challenge page so the user must complete the second factor before gaining access.
  • Prevent auto-login after password reset when allow_password_login_with_passkey is false and the user has passkeys. Instead, redirect to the login page.
  • Both checks apply to CP and front-end password reset flows.
  • Add ResetPasswordTest covering all scenarios with a data provider for CP/web.

Test plan

  • Existing auth tests pass
  • New ResetPasswordTest covers:
    • Password reset logs in user (baseline)
    • Password reset redirects to 2FA challenge when user has 2FA enabled
    • Password reset skips 2FA challenge when 2FA is globally disabled
    • Password reset does not auto-login when passkey login is enforced
    • Password reset still auto-logs in when passkey login is allowed
    • All scenarios tested for both CP and web endpoints

jasonvarga and others added 3 commits April 7, 2026 10:35
@jasonvarga @claude
Require 2FA challenge after password reset for users with 2FA enabled
8a169e7 
Previously, the password reset flow would auto-login the user without
requiring a 2FA code, allowing the second factor to be bypassed entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonvarga @claude
Prevent auto-login after password reset when passkey login is enforced
8a3430d 
When allow_password_login_with_passkey is false and the user has
passkeys, the password reset flow should not auto-login the user,
matching the enforcement applied during normal login.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonvarga @claude
Sort imports in ResetPasswordTest
0649a3e 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jasonvarga jasonvarga closed this Apr 7, 2026
@jasonvarga jasonvarga mentioned this pull request Apr 7, 2026
Merged
3 tasks
@jasonvarga
Copy link
Copy Markdown
Member Author

jasonvarga commented Apr 7, 2026

Opted for a simpler solution in #14454

@jasonvarga jasonvarga deleted the reset-password-2fa branch April 7, 2026 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonvarga