DEV: update rake task to disable 2FA for a user (#29052)

- limits security key deletes to second factor keys - also deletes backup codes (lingering backup codes break login flow entirely) * Add spec for rake task to disable 2FA for a user
2025-05-22 16:11:08 +08:00 · 2024-10-15 18:11:29 -04:00
parent d04fd3a8ac
commit 80ac3275ba
2 changed files with 47 additions and 1 deletions
--- a/lib/tasks/users.rake
+++ b/lib/tasks/users.rake
@ -155,7 +155,13 @@ task "users:disable_2fa", [:username] => [:environment] do |_, args|
  username = args[:username]
  user = find_user(username)
  UserSecondFactor.where(user_id: user.id, method: UserSecondFactor.methods[:totp]).each(&:destroy!)
-  UserSecurityKey.where(user_id: user.id).destroy_all
+  UserSecurityKey.where(
+    user_id: user.id,
+    factor_type: UserSecurityKey.factor_types[:second_factor],
+  ).destroy_all
+  UserSecondFactor.where(user_id: user.id, method: UserSecondFactor.methods[:backup_codes]).each(
+    &:destroy!
+  )
  puts "2FA disabled for #{username}"
 end