• Grzegorz Bizon's avatar
    Fix 2FA authentication spoofing vulnerability · 00da609c
    Grzegorz Bizon authored
    This commit attempts to change default user search scope if otp_user_id
    session variable has been set. If it is present, it means that user has
    2FA enabled, and has already been verified with login and password. In
    this case we should look for user with otp_user_id first, before picking
    it up by login.
    00da609c
sessions_controller.rb 4.06 KB