Merge remote-tracking branch 'dev/master'

CHANGELOG.md

@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 10.5.3 (2018-03-01)
+
+### Security (1 change)
+
+- Ensure that OTP backup codes are always invalidated.
+
+
 ## 10.5.2 (2018-02-25)
 
 ### Fixed (7 changes)
@@ -219,6 +226,13 @@ entry.
 - Adds empty state illustration for pending job.
 
 
+## 10.4.5 (2018-03-01)
+
+### Security (1 change)
+
+- Ensure that OTP backup codes are always invalidated.
+
+
 ## 10.4.4 (2018-02-16)
 
 ### Security (1 change)
@@ -443,6 +457,13 @@ entry.
 - Use a background migration for issues.closed_at.
 
 
+## 10.3.8 (2018-03-01)
+
+### Security (1 change)
+
+- Ensure that OTP backup codes are always invalidated.
+
+
 ## 10.3.7 (2018-02-05)
 
 ### Security (4 changes)

GITLAB_PAGES_VERSION

-0.6.0
+0.6.1

app/controllers/concerns/authenticates_with_two_factor.rb

@@ -56,6 +56,7 @@ module AuthenticatesWithTwoFactor
       session.delete(:otp_user_id)
 
       remember_me(user) if user_params[:remember_me] == '1'
+      user.save!
       sign_in(user)
     else
       user.increment_failed_attempts!

changelogs/unreleased/sh-fix-otp-backup-code-invalidation.yml

+---
+title: Ensure that OTP backup codes are always invalidated
+merge_request:
+author:
+type: security

spec/features/users/login_spec.rb

@@ -145,6 +145,18 @@ feature 'Login' do
             expect { enter_code(codes.sample) }
               .to change { user.reload.otp_backup_codes.size }.by(-1)
           end
+
+          it 'invalidates backup codes twice in a row' do
+            random_code = codes.delete(codes.sample)
+            expect { enter_code(random_code) }
+              .to change { user.reload.otp_backup_codes.size }.by(-1)
+
+            gitlab_sign_out
+            gitlab_sign_in(user)
+
+            expect { enter_code(codes.sample) }
+              .to change { user.reload.otp_backup_codes.size }.by(-1)
+          end
         end
 
         context 'with invalid code' do