From 99599bb09f6ea9467bee5ea5391f2ec64f6bb0eb Mon Sep 17 00:00:00 2001 From: Son Nguyen Kim Date: Mon, 12 Jul 2021 18:56:09 +0200 Subject: [PATCH] make sure user needs to go through MFA when resetting password --- app/auth/views/reset_password.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/auth/views/reset_password.py b/app/auth/views/reset_password.py index ee21683b..cf8cb507 100644 --- a/app/auth/views/reset_password.py +++ b/app/auth/views/reset_password.py @@ -4,6 +4,7 @@ from flask_wtf import FlaskForm from wtforms import StringField, validators from app.auth.base import auth_bp +from app.auth.views.login_utils import after_login from app.extensions import db, limiter from app.models import ResetPasswordCode @@ -57,10 +58,10 @@ def reset_password(): # remove the reset password code ResetPasswordCode.delete(reset_password_code.id) - db.session.commit() - login_user(user) - return redirect(url_for("dashboard.index")) + # do not use login_user(user) here + # to make sure user needs to go through MFA if enabled + return after_login(user, url_for("dashboard.index")) return render_template("auth/reset_password.html", form=form)