Add 2FA code regeneration

Add changelog entry

Fix wording

Add cr remarks

app/controllers/profiles/two_factor_auths_controller.rb

@@ -4,7 +4,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   skip_before_action :check_two_factor_requirement
 
   def show
-    unless current_user.otp_secret
+    unless current_user.two_factor_enabled?
       current_user.otp_secret = User.generate_otp_secret(32)
     end
 

changelogs/unreleased/security-212-regenerate-2fa-app-code.yml

+---
+title: Create new 2FA code each time user is entering 2FA setup page
+merge_request:
+author:
+type: security

spec/controllers/profiles/two_factor_auths_controller_spec.rb

@@ -14,10 +14,9 @@ RSpec.describe Profiles::TwoFactorAuthsController do
     let(:user) { create(:user) }
 
     it 'generates otp_secret for user' do
-      expect(User).to receive(:generate_otp_secret).with(32).and_return('secret').once
+      expect(User).to receive(:generate_otp_secret).with(32).and_call_original.once
 
       get :show
-      get :show # Second hit shouldn't re-generate it
     end
 
     it 'assigns qr_code' do
@@ -27,6 +26,14 @@ RSpec.describe Profiles::TwoFactorAuthsController do
       get :show
       expect(assigns[:qr_code]).to eq code
     end
+
+    it 'generates a unique otp_secret every time the page is loaded' do
+      expect(User).to receive(:generate_otp_secret).with(32).and_call_original.twice
+
+      2.times do
+        get :show
+      end
+    end
   end
 
   describe 'POST create' do