Skip to content

fix(two-factor-auth): gate 2FA enforcement on global setting (SER-2911) #7760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
coskunaydinoglu wants to merge 2 commits into from
+43 −0
Closed

fix(two-factor-auth): gate 2FA enforcement on global setting (SER-2911) #7760

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12bdea1
fix(two-factor-auth): propagate global 2FA toggle to all users (SER-2…
Jun 22, 2026
4b04f9a
Merge branch 'master' into SER-2911-two-factor-auth-respect-global-di…
coskunaydinoglu Jun 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@

## Version 25.03.xx
Fixes:
- [two-factor-auth] Toggling global 2FA now propagates to all users: disabling it turns the 2FA switch off for every user (so users created while it was enabled are no longer prompted), and enabling it turns the switch on for all users

Enterprise Fixes:
- [journey_engine] Avoid throwing on duplicate events and prevent overwriting existing event map entries during event creation

Expand Down
40 changes: 40 additions & 0 deletions plugins/two-factor-auth/api/api.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,48 @@ var plugin = {},
const { generateQRCode } = require('../lib.js');
const FEATURE_NAME = 'two_factor_auth';

// Tracks the global 2FA state this process has already reconciled to the
// members collection, so the onchange handler only reacts to an actual admin
// toggle and not to the initial config load that happens on every startup.
var lastGlobalState;

/**
* Propagate a change of the global 2FA setting to every member's per-user
* switch (SER-2911). Enabling it globally turns the 2FA switch on for all
* users; disabling it globally turns the switch off for all users and clears
* any stored secret. While 2FA is globally disabled users may still enable or
* disable it individually for their own account.
* @param {boolean} enabled - new value of two-factor-auth.globally_enabled
*/
function propagateGlobalToMembers(enabled) {
if (typeof lastGlobalState === "undefined") {
// first call is the initial config load - record it, do not touch members
lastGlobalState = enabled;
return;
}
if (lastGlobalState === enabled || !common.db) {
return;
}
lastGlobalState = enabled;

var update = enabled
? {$set: {"two_factor_auth.enabled": true}}
: {$set: {"two_factor_auth.enabled": false}, $unset: {"two_factor_auth.secret_token": ""}};

common.db.collection("members").updateMany({}, update, function(err) {
if (err) {
log.e(`Failed to propagate global 2FA (${enabled}) to members: ${err.message}`);
}
else {
log.i(`Global 2FA ${enabled ? "enabled" : "disabled"} - updated 2FA switch for all members`);
}
});
}

plugins.setConfigs("two-factor-auth", {
globally_enabled: false
}, false, function(config) {
propagateGlobalToMembers(!!config.globally_enabled);
});

plugins.register("/permissions/features", function(ob) {
Expand Down
Loading