Merge 8902ba1fd5 into 14cb5ff881

app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb

@@ -20,6 +20,12 @@ module Settings
         redirect_to new_settings_two_factor_authentication_confirmation_path
       end
 
+      def destroy
+        current_user.disable_otp_login!
+
+        redirect_to settings_two_factor_authentication_methods_path
+      end
+
       private
 
       def verify_otp_not_enabled

app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb

@@ -6,7 +6,6 @@ module Settings
       skip_before_action :check_self_destruct!
       skip_before_action :require_functional!
 
-      before_action :redirect_invalid_otp, unless: -> { current_user.otp_enabled? }
       before_action :redirect_invalid_webauthn, only: [:index, :destroy], unless: -> { current_user.webauthn_enabled? }
 
       def index; end
@@ -85,10 +84,6 @@ module Settings
 
       private
 
-      def redirect_invalid_otp
-        redirect_to settings_two_factor_authentication_methods_path, flash: { error: t('webauthn_credentials.otp_required') }
-      end
-
       def redirect_invalid_webauthn
         redirect_to settings_two_factor_authentication_methods_path, flash: { error: t('webauthn_credentials.not_enabled') }
       end

app/controllers/settings/two_factor_authentication_methods_controller.rb

@@ -8,7 +8,7 @@ module Settings
     skip_before_action :require_functional!
 
     before_action :require_challenge!, only: :disable
-    before_action :require_otp_enabled
+    before_action :require_two_factor_enabled, only: :disable
 
     def index; end
 
@@ -16,13 +16,13 @@ module Settings
       current_user.disable_two_factor!
       UserMailer.two_factor_disabled(current_user).deliver_later!
 
-      redirect_to settings_otp_authentication_path, flash: { notice: I18n.t('two_factor_authentication.disabled_success') }
+      redirect_to settings_two_factor_authentication_methods_path, flash: { notice: I18n.t('two_factor_authentication.disabled_success') }
     end
 
     private
 
-    def require_otp_enabled
+    def require_two_factor_enabled
-      redirect_to settings_otp_authentication_path unless current_user.otp_enabled?
+      redirect_to settings_otp_authentication_path unless current_user.two_factor_enabled?
     end
   end
 end

app/models/user.rb

@@ -262,6 +262,15 @@ class User < ApplicationRecord
     otp_required_for_login? || webauthn_credentials.any?
   end
 
+  def disable_otp_login!
+    return unless otp_required_for_login?
+
+    self.otp_required_for_login = false
+    self.otp_secret = nil
+
+    save!
+  end
+
   def disable_two_factor!
     self.otp_required_for_login = false
     self.otp_secret = nil

app/views/settings/two_factor_authentication_methods/index.html.haml

@@ -1,14 +1,15 @@
 - content_for :page_title do
   = t('settings.two_factor_authentication')
 
-- content_for :heading_actions do
+- if current_user.two_factor_enabled?
-  = link_to t('two_factor_authentication.disable'), disable_settings_two_factor_authentication_methods_path, class: 'button button--destructive', method: :post
+  - content_for :heading_actions do
+    = link_to t('two_factor_authentication.disable'), disable_settings_two_factor_authentication_methods_path, class: 'button button--destructive', method: :post
 
-%p.hint
+  %p.hint
-  %span.positive-hint
+    %span.positive-hint
-    = material_symbol 'check'
+      = material_symbol 'check'
-     
+       
-    = t 'two_factor_authentication.enabled'
+      = t 'two_factor_authentication.enabled'
 
 .table-wrapper
   %table.table
@@ -19,8 +20,13 @@
     %tbody
       %tr
         %td= t('two_factor_authentication.otp')
-        %td
+        - if current_user.otp_enabled?
-          = table_link_to 'edit', t('two_factor_authentication.edit'), settings_otp_authentication_path, method: :post
+          %td
+            = table_link_to 'edit', t('two_factor_authentication.edit'), settings_otp_authentication_path, method: :get
+            = table_link_to 'delete', t('otp_authentication.delete'), settings_otp_authentication_path, method: :delete, data: { confirm: t('otp_authentication.delete_confirmation') }
+        - else
+          %td
+            = table_link_to 'add', t('two_factor_authentication.add'), settings_otp_authentication_path, method: :get
       %tr
         %td= t('two_factor_authentication.webauthn')
         - if current_user.webauthn_enabled?
@@ -30,12 +36,13 @@
           %td
             = table_link_to 'key', t('two_factor_authentication.add'), new_settings_webauthn_credential_path, method: :get
 
-%hr.spacer/
+- if current_user.otp_enabled?
+  %hr.spacer/
 
-%h3= t('two_factor_authentication.recovery_codes')
+  %h3= t('two_factor_authentication.recovery_codes')
-%p.muted-hint= t('two_factor_authentication.lost_recovery_codes')
+  %p.muted-hint= t('two_factor_authentication.lost_recovery_codes')
 
-%hr.spacer/
+  %hr.spacer/
 
-.simple_form
+  .simple_form
-  = link_to t('two_factor_authentication.generate_recovery_codes'), settings_two_factor_authentication_recovery_codes_path, data: { method: :post }, class: 'button button--block'
+    = link_to t('two_factor_authentication.generate_recovery_codes'), settings_two_factor_authentication_recovery_codes_path, data: { method: :post }, class: 'button button--block'

config/locales/an.yml

@@ -1554,5 +1554,4 @@ an:
     nickname_hint: Escriba la embotada d'a suya nueva clau de seguranza
     not_enabled: Encara no has activau WebAuthn
     not_supported: Este navegador no suporta claus de seguranza
-    otp_required: Pa usar claus de seguranza, per favor habilite primero l'autenticación de dople factor.
     registered_on: Rechistrau lo %{date}

config/locales/ar.yml

@@ -2279,5 +2279,4 @@ ar:
     nickname_hint: أدخل اسم مستعار لمفتاح الأمان الجديد الخاص بك
     not_enabled: لم تقم بتفعيل WebAuthn بعد
     not_supported: هذا المتصفح لا يدعم مفاتيح الأمان
-    otp_required: لاستخدام مفاتيح الأمان، يرجى تفعيل الاستيثاق بعامِلين أولاً.
     registered_on: تم التسجيل في %{date}

config/locales/ast.yml

@@ -898,4 +898,3 @@ ast:
     invalid_credential: La llave de seguranza nun ye válida
     not_enabled: Nun activesti la función WebAuthn
     not_supported: Esti restolador nun ye compatible coles llaves de seguranza
-    otp_required: Pa usar les llaves de seguranza, activa primero l'autenticación en dos pasos.

config/locales/be.yml

@@ -2236,5 +2236,4 @@ be:
     nickname_hint: Увядзіце псеўданім вашага новага ключа бяспекі
     not_enabled: Вы яшчэ не ўключылі WebAuthn
     not_supported: Гэты браўзер не падтрымлівае ключы бяспекі
-    otp_required: Каб выкарыстоўваць ключы бяспекі, спачатку ўключыце двухфактарную аўтэнтыфікацыю.
     registered_on: Зарэгістраваны %{date}

config/locales/bg.yml

@@ -2119,5 +2119,4 @@ bg:
     nickname_hint: Въведете прякор на новия си ключ за сигурност
     not_enabled: Още не сте включили WebAuthn
     not_supported: Този браузър не поддържа ключове за сигурност
-    otp_required: Първо включете двуфакторното удостоверяване, за да използвате ключовете за сигурност.
     registered_on: Регистрирано на %{date}

config/locales/br.yml

@@ -632,5 +632,4 @@ br:
     nickname_hint: Skrivit lesanv hoc'h alc'hwez surentez nevez
     not_enabled: WebAuthn n'eo ket aotreet ganeoc'h c'hoazh
     not_supported: Alc'hwezioù surentez a zo diembreg gant ar merdeer-se
-    otp_required: Evit implijout alc'hwezioù surentez, aotrit dilesadur dre eil-elfenn da gentañ.
     registered_on: Enrollet d'ar %{date}

config/locales/ca.yml

@@ -2118,5 +2118,4 @@ ca:
     nickname_hint: Introdueix el sobrenom de la teva clau de seguretat nova
     not_enabled: Encara no has activat WebAuthn
     not_supported: Aquest navegador no suporta claus de seguretat
-    otp_required: Per a usar claus de seguretat, activeu primer l'autenticació de dos factors.
     registered_on: Registrat en %{date}

config/locales/ckb.yml

@@ -1007,5 +1007,4 @@ ckb:
     nickname_hint: نازناوی کلیلی ئاسایشی نوێت تێبنووسە
     not_enabled: تۆ هێشتا WebAuthnت چالاک نەکردووە
     not_supported: ئەم وێبگەڕە پشتگیری کلیلەکانی پاراستن ناکات
-    otp_required: بۆ بەکارهێنانی کلیلەکانی پاراستن تکایە سەرەتا سەلماندنی دوو-فاکتەر چالاک بکە.
     registered_on: تۆمارکراو لە %{date}

config/locales/co.yml

@@ -1021,5 +1021,4 @@ co:
     nickname_hint: Entrate u nome di a vostra nova chjave di sicurità
     not_enabled: Ùn avete micca attivatu WebAuthn
     not_supported: E chjave di sicurità ùn marchjanu micca cù quessu navigatore
-    otp_required: Per utilizà una chjave di sicurità duvete attivà l'identificazione à dui fattori prima.
     registered_on: Arregistrata %{date}

config/locales/cs.yml

@@ -2236,5 +2236,4 @@ cs:
     nickname_hint: Zadejte přezdívku nového bezpečnostního klíče
     not_enabled: Zatím jste nepovolili WebAuthn
     not_supported: Tento prohlížeč nepodporuje bezpečnostní klíče
-    otp_required: Pro použití bezpečnostních klíčů prosím nejprve zapněte dvoufázové ověřování.
     registered_on: Přidán %{date}

config/locales/cy.yml

@@ -2320,5 +2320,4 @@ cy:
     nickname_hint: Rhowch lysenw eich allwedd ddiogelwch newydd
     not_enabled: Nid ydych wedi galluogi WebAuthn eto
     not_supported: Nid yw'r porwr hwn yn cynnal allweddi diogelwch
-    otp_required: I ddefnyddio allweddi diogelwch, galluogwch ddilysu dau ffactor yn gyntaf.
     registered_on: Cofrestrwyd ar %{date}

config/locales/da.yml

@@ -2148,5 +2148,4 @@ da:
     nickname_hint: Angiv kaldenavnet på din nye sikkerhedsnøgle
     not_enabled: Du har endnu ikke aktiveret WebAuthn
     not_supported: Denne browser understøtter ikke sikkerhedsnøgler
-    otp_required: For at bruge sikkerhedsnøgler skal tofaktorgodkendelse først aktiveres.
     registered_on: Registreret d. %{date}

config/locales/de.yml

@@ -2148,5 +2148,4 @@ de:
     nickname_hint: Gib den Spitznamen deines neuen Sicherheitsschlüssels ein
     not_enabled: Du hast WebAuthn noch nicht aktiviert
     not_supported: Dieser Browser unterstützt keine Sicherheitsschlüssel
-    otp_required: Um Sicherheitsschlüssel zu verwenden, aktiviere zunächst die Zwei-Faktor-Authentisierung.
     registered_on: Registriert am %{date}

config/locales/el.yml

@@ -2138,5 +2138,4 @@ el:
     nickname_hint: Βάλε το ψευδώνυμο του νέου κλειδιού ασφαλείας σου
     not_enabled: Δεν έχεις ενεργοποιήσει το WebAuthn ακόμα
     not_supported: Αυτό το πρόγραμμα περιήγησης δεν υποστηρίζει κλειδιά ασφαλείας
-    otp_required: Για να χρησιμοποιήσεις κλειδιά ασφαλείας, ενεργοποίησε πρώτα την ταυτοποίηση δύο παραγόντων.
     registered_on: Εγγραφή στις %{date}

config/locales/en-GB.yml

@@ -2107,5 +2107,4 @@ en-GB:
     nickname_hint: Enter the nickname of your new security key
     not_enabled: You haven't enabled WebAuthn yet
     not_supported: This browser doesn't support security keys
-    otp_required: To use security keys please enable two-factor authentication first.
     registered_on: Registered on %{date}

config/locales/en.yml

@@ -1716,6 +1716,8 @@ en:
           unit: ''
   otp_authentication:
     code_hint: Enter the code generated by your authenticator app to confirm
+    delete: Delete
+    delete_confirmation: Are you sure you want to delete your authenticator app from your two-factor authentication methods?
     description_html: If you enable <strong>two-factor authentication</strong> using an authenticator app, logging in will require you to be in possession of your phone, which will generate tokens for you to enter.
     enable: Enable
     instructions_html: "<strong>Scan this QR code into Google Authenticator or a similar TOTP app on your phone</strong>. From now on, that app will generate tokens that you will have to enter when logging in."
@@ -2149,5 +2151,4 @@ en:
     nickname_hint: Enter the nickname of your new security key
     not_enabled: You haven't enabled WebAuthn yet
     not_supported: This browser doesn't support security keys
-    otp_required: To use security keys please enable two-factor authentication first.
     registered_on: Registered on %{date}

config/locales/eo.yml

@@ -2119,5 +2119,4 @@ eo:
     nickname_hint: Enigu alinomon de via nova sekurecŝlosilo
     not_enabled: Vi ankoraŭ ne ŝaltis WebAuth
     not_supported: Ĉi tiu legilo ne povas uzi sekurecŝlosilojn
-    otp_required: Por uzi sekurecŝlosilojn, ebligu 2-faktoran autentigon unue.
     registered_on: Registrita je %{date}

config/locales/es-AR.yml

@@ -2148,5 +2148,4 @@ es-AR:
     nickname_hint: Ingresá el apodo de tu nueva llave de seguridad
     not_enabled: Todavía no habilitaste WebAuthn
     not_supported: Este navegador web no soporta llaves de seguridad
-    otp_required: Para usar llaves de seguridad, por favor, primero habilitá la autenticación de dos factores.
     registered_on: Registrado el %{date}

config/locales/es-MX.yml

@@ -2148,5 +2148,4 @@ es-MX:
     nickname_hint: Introduzca el apodo de su nueva clave de seguridad
     not_enabled: Aún no has activado WebAuthn
     not_supported: Este navegador no soporta claves de seguridad
-    otp_required: Para usar claves de seguridad, por favor habilite primero la autenticación de doble factor.
     registered_on: Registrado el %{date}

config/locales/es.yml

@@ -2148,5 +2148,4 @@ es:
     nickname_hint: Introduzca el apodo de su nueva clave de seguridad
     not_enabled: Aún no has activado WebAuthn
     not_supported: Este navegador no soporta claves de seguridad
-    otp_required: Para usar claves de seguridad, por favor habilite primero la autenticación de doble factor.
     registered_on: Registrado el %{date}

config/locales/et.yml

@@ -2150,5 +2150,4 @@ et:
     nickname_hint: Uue turvavõtme hüüdnimi
     not_enabled: Veebiautentimine pole sisse lülitatud
     not_supported: See veebilehitseja ei toeta turvavõtmeid
-    otp_required: Turvavõtmete kasutamiseks tuleb eelnevalt sisse lülitada kaheastmeline autentimine.
     registered_on: Registreeritud %{date}

config/locales/eu.yml

@@ -1955,5 +1955,4 @@ eu:
     nickname_hint: Sartu zure segurtasun gako berriaren ezizena
     not_enabled: Ez duzu WebAuthn gaitu oraindik
     not_supported: Nabigatzaile honek ez ditu segurtasun gakoak onartzen
-    otp_required: Segurtasun gakoak erabili aurretik bi faktoreko autentifikazioa gaitu behar duzu.
     registered_on: "%{date}(e)an erregistratua"

config/locales/fa.yml

@@ -2137,5 +2137,4 @@ fa:
     nickname_hint: نام مستعار کلید امنیتی جدیدتان را وارد کنید
     not_enabled: شما هنوز WebAuthn را فعال نکرده‌اید
     not_supported: این مرورگر از کلیدهای امنیتی پشتیبانی نمی‌کند
-    otp_required: برای استفاده از کلیدهای امنیتی، لطفاً ابتدا تأیید هویت دو عاملی را به کار بیندازید.
     registered_on: ثبت‌شده در %{date}

config/locales/fi.yml

@@ -2148,5 +2148,4 @@ fi:
     nickname_hint: Anna uuden suojausaivaimesi lempinimi
     not_enabled: Et ole vielä ottanut WebAuthn-ohjelmaa käyttöön
     not_supported: Tämä selain ei tue suojausavaimia
-    otp_required: Jos haluat käyttää suojausavaimia, ota ensin kaksivaiheinen todennus käyttöön.
     registered_on: Rekisteröity %{date}

config/locales/fo.yml

@@ -2148,5 +2148,4 @@ fo:
     nickname_hint: Skriva eyknevni á tínum nýggja trygdarlykli
     not_enabled: Tú hevur ikki gjørt WebAuthn virkið enn
     not_supported: Hesin kagin stuðlar ikki uppundir trygdarlyklar
-    otp_required: Fyri at brúka trygdarlyklar er neyðugt at gera váttan í tveimum stigum virkna fyrst.
     registered_on: Skrásett %{date}

config/locales/fr-CA.yml

@@ -2078,5 +2078,4 @@ fr-CA:
     nickname_hint: Entrez le surnom de votre nouvelle clé de sécurité
     not_enabled: Vous n'avez pas encore activé WebAuthn
     not_supported: Ce navigateur ne prend pas en charge les clés de sécurité
-    otp_required: Pour utiliser les clés de sécurité, veuillez d'abord activer l'authentification à deux facteurs.
     registered_on: Inscrit le %{date}

config/locales/fr.yml

@@ -2078,5 +2078,4 @@ fr:
     nickname_hint: Entrez le surnom de votre nouvelle clé de sécurité
     not_enabled: Vous n'avez pas encore activé WebAuthn
     not_supported: Ce navigateur ne prend pas en charge les clés de sécurité
-    otp_required: Pour utiliser les clés de sécurité, veuillez d'abord activer l'authentification à deux facteurs.
     registered_on: Inscrit le %{date}

config/locales/fy.yml

@@ -2133,5 +2133,4 @@ fy:
     nickname_hint: Fier de bynamme yn fan jo nije befeiligingskaai
     not_enabled: Jo hawwe WebAuthn noch net ynskeakele
     not_supported: Dizze browser stipet gjin befeiligingskaaien
-    otp_required: Om befeiligingskaaien brûke te kinnen, moatte jo earst twa-stapsferifikaasje ynskeakelje.
     registered_on: Registrearre op %{date}

config/locales/ga.yml

@@ -2277,5 +2277,4 @@ ga:
     nickname_hint: Cuir isteach leasainm d'eochair shlándála nua
     not_enabled: Níl WebAuthn cumasaithe agat fós
     not_supported: Ní thacaíonn an brabhsálaí seo le heochracha slándála
-    otp_required: Chun eochracha slándála a úsáid cumasaigh fíordheimhniú dhá fhachtóir ar dtús.
     registered_on: Cláraithe ar %{date}

config/locales/gd.yml

@@ -2191,5 +2191,4 @@ gd:
     nickname_hint: Cuir a-steach far-ainm na h-iuchrach tèarainteachd ùir agad
     not_enabled: Cha do chuir thu WebAuthn an comas fhathast
     not_supported: Cha chuir am brabhsair seo taic ri iuchraichean tèarainteachd
-    otp_required: Mus cleachd thu iuchraichean tèarainteachd, feumaidh tu an dearbhadh dà-cheumnach a chur an comas.
     registered_on: Air a chlàradh %{date}

config/locales/gl.yml

@@ -2148,5 +2148,4 @@ gl:
     nickname_hint: Escribe un alcume para a túa nova chave de seguridade
     not_enabled: Aínda non tes activado WebAuthn
     not_supported: Este navegador non ten soporte para chaves de seguridade
-    otp_required: Para usar chaves de seguridade tes que activar primeiro o segundo factor.
     registered_on: Rexistrado o %{date}

config/locales/he.yml

@@ -2236,5 +2236,4 @@ he:
     nickname_hint: הכנס.י כינוי למפתח האבטחה החדש שלך
     not_enabled: לא אפשרת את WebAuthn עדיין
     not_supported: דפדפן זה לא תומך במפתחות אבטחה
-    otp_required: על מנת להשתמש במפתחות אבטחה אנא אפשר.י אימות דו-שלבי קודם.
     registered_on: נרשם ב %{date}

config/locales/hu.yml

@@ -2148,5 +2148,4 @@ hu:
     nickname_hint: Írd be az új biztonsági kulcsod becenevét
     not_enabled: Még nem engedélyezted a WebAuthn-t
     not_supported: Ez a böngésző nem támogatja a biztonsági kulcsokat
-    otp_required: A biztonsági kulcsok használatához először engedélyezd a kétlépcsős hitelesítést.
     registered_on: 'Regisztráció ekkor: %{date}'

config/locales/ia.yml

@@ -2145,5 +2145,4 @@ ia:
     nickname_hint: Insere le pseudonymo de tu nove clave de securitate
     not_enabled: Tu ancora non ha activate WebAuthn
     not_supported: Iste navigator non supporta claves de securitate
-    otp_required: Pro usar le claves de securitate activa prime le authentication de duo factores.
     registered_on: Inscribite le %{date}

config/locales/id.yml

@@ -1523,5 +1523,4 @@ id:
     nickname_hint: Masukkan panggilan kunci keamanan baru Anda
     not_enabled: Anda belum mengaktifkan WebAuthn
     not_supported: Peramban ini tidak mendukung kunci keamanan
-    otp_required: Untuk menggunakan kunci keamanan harap aktifkan autentikasi dua-faktor.
     registered_on: Terdaftar pada %{date}

config/locales/ie.yml

@@ -1827,5 +1827,4 @@ ie:
     nickname_hint: Scrir li moc-nómine de tui nov clave de securitá
     not_enabled: Tu ancor ne ha possibilisat WebAuthn
     not_supported: Ti-ci navigator ne subtene claves de securitá
-    otp_required: Por usar claves de securitá, ples activisar 2-factor autentication.
     registered_on: Adheret ye %{date}

config/locales/io.yml

@@ -1899,5 +1899,4 @@ io:
     nickname_hint: Insertez nometo di vua nova sekuresklefo
     not_enabled: Vu ne ebligis WebAuthn til nun
     not_supported: Ca vidilo ne suportas sekuresklefi
-    otp_required: Por uzar sekuresklefi, ebligez dufaktora yurizo unesme.
     registered_on: Registris ye %{date}

config/locales/is.yml

@@ -2152,5 +2152,4 @@ is:
     nickname_hint: Settu inn stuttnefni fyrir nýja öryggislykilinn þinn
     not_enabled: Þú hefur ennþá ekki virkjað WebAuthn
     not_supported: Þessi vafri styður ekki öryggislykla
-    otp_required: Til að nota öryggislykla skaltu fyrst virkja tveggja-þátta auðkenningu.
     registered_on: Skráði sig %{date}

config/locales/it.yml

@@ -2150,5 +2150,4 @@ it:
     nickname_hint: Inserisci il soprannome della tua nuova chiave di sicurezza
     not_enabled: Non hai ancora abilitato WebAuthn
     not_supported: Questo browser non supporta le chiavi di sicurezza
-    otp_required: Per utilizzare le chiavi di sicurezza, prima abilita l'autenticazione a due fattori.
     registered_on: Registrato il %{date}

config/locales/ja.yml

@@ -2052,5 +2052,4 @@ ja:
     nickname_hint: セキュリティキーの名前を入力してください
     not_enabled: まだセキュリティキーを有効にしていません
     not_supported: このブラウザはセキュリティキーに対応していないようです
-    otp_required: セキュリティキーを使用するには、まず二要素認証を有効にしてください。
     registered_on: "%{date}に登録"

config/locales/ko.yml

@@ -2103,5 +2103,4 @@ ko:
     nickname_hint: 새 보안 키의 별명을 입력해 주세요
     not_enabled: 아직 WebAuthn을 활성화 하지 않았습니다.
     not_supported: 이 브라우저는 보안 키를 지원하지 않습니다
-    otp_required: 보안 키를 사용하기 위해서는 2단계 인증을 먼저 활성화 해 주세요
     registered_on: "%{date}에 등록됨"

config/locales/ku.yml

@@ -1549,5 +1549,4 @@ ku:
     nickname_hint: Bernavka kilîda te ya ewlehiyê a nû têkevê
     not_enabled: Te hê WebAuthn çalak nekiriye
     not_supported: Ev gerok piştgiriya kilîtên ewlehiyê nakê
-    otp_required: Ji bo ku tu kilîtên ewlehiyê bikar bînî, ji kerema xwe re pêşî piştrastkirina du-gavî çalak bike.
     registered_on: Di %{date} dîrokê de tomar bû

config/locales/lad.yml

@@ -1953,5 +1953,4 @@ lad:
     nickname_hint: Introduska el sovrenombre de tu mueva yave de sigurita
     not_enabled: Ainda no tienes aktivado WebAuthn
     not_supported: Este navigador no soporta yaves de sigurita
-    otp_required: Para uzar yaves de sigurita, por favor kapasite primero la autentifikasyon de dos pasos.
     registered_on: Enrejistrado el %{date}

config/locales/lt.yml

@@ -1359,4 +1359,3 @@ lt:
       success: Tavo saugumo raktas buvo sėkmingai ištrintas.
     nickname_hint: Įvesk naujojo saugumo rakto slapyvardį
     not_enabled: Dar neįjungei WebAuthn
-    otp_required: Norint naudoti saugumo raktus, pirmiausia įjunk dvigubą tapatybės nustatymą.

config/locales/lv.yml

@@ -2128,5 +2128,4 @@ lv:
     nickname_hint: Ievadi savas jaunās drošības atslēgas segvārdu
     not_enabled: Tu vel neesi iespējojis WebAuthn
     not_supported: Šī pārlūkprogramma neatbalsta drošības atslēgas
-    otp_required: Lai izmantotu drošības atslēgas, lūgums vispirms iespējot divpakāpju autentifikāciju.
     registered_on: Reģistrēts %{date}

config/locales/ms.yml

@@ -1710,5 +1710,4 @@ ms:
     nickname_hint: Masukkan nama panggilan kunci keselamatan baharu anda
     not_enabled: Anda belum mendayakan WebAuthn lagi
     not_supported: Pelayan ini tidak menyokong kunci keselamatan
-    otp_required: Untuk menggunakan kunci keselamatan, sila mengaktifkan pengesahan dua faktor dahulu.
     registered_on: Didaftar pada %{date}

config/locales/my.yml

@@ -1701,5 +1701,4 @@ my:
     nickname_hint: သင့်လုံခြုံရေးကီးအသစ်၏ အမည်ပြောင်ကို ထည့်ပါ။
     not_enabled: WebAuthn ကို သင် မဖွင့်ရသေးပါ
     not_supported: ဤဘရောက်ဆာသည် လုံခြုံရေးကီးများကို မပံ့ပိုးပါ
-    otp_required: လုံခြုံရေးကီးများကို အသုံးပြုရန်အတွက် နှစ်ဆင့်ခံလုံခြုံရေးစနစ်စိစစ်ခြင်းကို ဦးစွာဖွင့်ပါ။
     registered_on: "%{date} တွင် စာရင်းသွင်းထားသည်"

config/locales/nl.yml

@@ -2148,5 +2148,4 @@ nl:
     nickname_hint: Voer de bijnaam in van jouw nieuwe beveiligingssleutel
     not_enabled: Je hebt WebAuthn nog niet ingeschakeld
     not_supported: Deze browser ondersteunt geen beveiligingssleutels
-    otp_required: Om beveiligingssleutels te kunnen gebruiken, moet je eerst tweestapsverificatie inschakelen.
     registered_on: Geregistreerd op %{date}

config/locales/nn.yml

@@ -2145,5 +2145,4 @@ nn:
     nickname_hint: Skriv inn kallenavnet til din nye sikkerhetsnøkkel
     not_enabled: Du har ikke aktivert WebAuthn ennå
     not_supported: Denne nettleseren støtter ikke sikkerhetsnøkler
-    otp_required: For å bruke sikkerhetsnøkler, må du først aktivere to-faktor autentisering.
     registered_on: Registrert den %{date}

config/locales/no.yml

@@ -1821,5 +1821,4 @@
     nickname_hint: Skriv inn kallenavnet til din nye sikkerhetsnøkkel
     not_enabled: Du har ikke aktivert WebAuthn ennå
     not_supported: Denne nettleseren støtter ikke sikkerhetsnøkler
-    otp_required: For å bruke sikkerhetsnøkler, må du først aktivere to-faktor autentisering.
     registered_on: Registrert den %{date}

config/locales/pl.yml

@@ -2198,5 +2198,4 @@ pl:
     nickname_hint: Wprowadź nazwę twojego nowego klucza bezpieczeństwa
     not_enabled: Nie włączyłeś WebAuthn
     not_supported: Twoja przeglądarka nie obsługuje kluczy bezpieczeństwa
-    otp_required: Aby użyć kluczy bezpieczeństwa, najpierw włącz uwierzytelnianie dwuskładnikowe.
     registered_on: Zarejestrowano %{date}

config/locales/pt-BR.yml

@@ -2148,5 +2148,4 @@ pt-BR:
     nickname_hint: Digite o apelido da sua nova chave de segurança
     not_enabled: Você ainda não habilitou o WebAuthn
     not_supported: Este navegador não tem suporte a chaves de segurança
-    otp_required: Para usar chaves de segurança, ative a autenticação de dois fatores.
     registered_on: Registrado em %{date}

config/locales/pt-PT.yml

@@ -2145,5 +2145,4 @@ pt-PT:
     nickname_hint: Introduz a alcunha da tua nova chave de segurança
     not_enabled: Ainda não ativaste o WebAuthn
     not_supported: Este navegador não funciona com chaves de segurança
-    otp_required: Para utilizares chaves de segurança, ativa primeiro a autenticação de dois fatores.
     registered_on: Registado em %{date}

config/locales/ru.yml

@@ -2192,5 +2192,4 @@ ru:
     nickname_hint: Введите название для нового электронного ключа
     not_enabled: Вы еще не включили WebAuthn
     not_supported: В этом браузере отсутствует поддержка электронных ключей
-    otp_required: Чтобы использовать электронные ключи, сначала включите двухфакторную аутентификацию.
     registered_on: Зарегистрирован %{date}

config/locales/sc.yml

@@ -1264,5 +1264,4 @@ sc:
     nickname_hint: Inserta su nomìngiu de sa crae de seguresa tua noa
     not_enabled: No as ativadu ancora WebAuthn
     not_supported: Custu navigadore no est cumpatìbile cun is craes de seguresa
-    otp_required: Pro impreare is craes de seguresa depes ativare prima s'autenticatzione in duos passos.
     registered_on: 'Registratzione: %{date}'

config/locales/sco.yml

@@ -1539,5 +1539,4 @@ sco:
     nickname_hint: Pit in the nickname o yer new security key
     not_enabled: Ye huvnae turnt on WebAuthn yit
     not_supported: This brooser disnae support security keys
-    otp_required: Fir tae uise security keys please turn on twa-factor authentication furst.
     registered_on: Registert on %{date}

config/locales/si.yml

@@ -1402,5 +1402,4 @@ si:
     nickname_hint: ඔබගේ නව ආරක්ෂක යතුරේ අන්වර්ථ නාමය ඇතුළත් කරන්න
     not_enabled: ඔබ තවමත් WebAuthn සබල කර නැත
     not_supported: මෙම බ්‍රවුසරය ආරක්ෂක යතුරු සඳහා සහය නොදක්වයි
-    otp_required: ආරක්ෂක යතුරු භාවිතා කිරීමට කරුණාකර පළමුව ද්වි-සාධක සත්‍යාපනය සක්‍රීය කරන්න.
     registered_on: "%{date} දී ලියාපදිංචි වී ඇත"

config/locales/sl.yml

@@ -2136,5 +2136,4 @@ sl:
     nickname_hint: Vnesite vzdevek svojega novega varnostnega ključa
     not_enabled: Niste še omogočili WebAuthn
     not_supported: Ta brskalnik ne podpira varnostnih ključev
-    otp_required: Za uporabo varnostnih ključev morate najprej omogočiti 2FA (dvostopenjsko overjanje).
     registered_on: Datum registracije %{date}

config/locales/sq.yml

@@ -2093,5 +2093,4 @@ sq:
     nickname_hint: Jepni nofkën e kyçit tuaj të ri të sigurisë
     not_enabled: S’e keni aktivizuar ende WebAuthn-in
     not_supported: Ky shfletues nuk mbulon kyçe sigurie
-    otp_required: Që të përdoren kyçe sigurie, ju lutemi, së pari aktivizoni mirëfilltësimin dyfaktorësh.
     registered_on: Regjistruar më %{date}

config/locales/sr-Latn.yml

@@ -1861,5 +1861,4 @@ sr-Latn:
     nickname_hint: Unesite nadimak svog novog sigurnosnog ključa
     not_enabled: Još uvek niste omogućili WebAuthn
     not_supported: Ovaj pretraživač ne podržava sigurnosne ključeve
-    otp_required: Da biste koristili sigurnosne ključeve, molimo Vas prvo uključite dvofaktorsku autentifikaciju.
     registered_on: Registrovan/-a %{date}

config/locales/sr.yml

@@ -1891,5 +1891,4 @@ sr:
     nickname_hint: Унесите надимак свог новог сигурносног кључа
     not_enabled: Још увек нисте омогућили WebAuthn
     not_supported: Овај претраживач не подржава сигурносне кључеве
-    otp_required: Да бисте користили сигурносне кључеве, молимо Вас прво укључите двофакторску аутентификацију.
     registered_on: Регистрован/-а %{date}

config/locales/sv.yml

@@ -2138,5 +2138,4 @@ sv:
     nickname_hint: Ange smeknamnet på din nya säkerhetsnyckel
     not_enabled: Du har inte aktiverat WebAuthn än
     not_supported: Denna webbläsare stöder inte säkerhetsnycklar
-    otp_required: För att använda säkerhetsnycklar måste du först aktivera tvåfaktorsautentisering.
     registered_on: Registrerad den %{date}

config/locales/th.yml

@@ -1993,5 +1993,4 @@ th:
     nickname_hint: ป้อนชื่อเล่นของกุญแจความปลอดภัยใหม่ของคุณ
     not_enabled: คุณยังไม่ได้เปิดใช้งาน WebAuthn
     not_supported: เบราว์เซอร์นี้ไม่รองรับกุญแจความปลอดภัย
-    otp_required: เพื่อใช้กุญแจความปลอดภัย โปรดเปิดใช้งานการรับรองความถูกต้องด้วยสองปัจจัยก่อน
     registered_on: ลงทะเบียนเมื่อ %{date}

config/locales/tr.yml

@@ -2145,5 +2145,4 @@ tr:
     nickname_hint: Yeni güvenlik anahtarınızın takma adını girin
     not_enabled: Henüz WebAuthn'u etkinleştirmediniz
     not_supported: Bu tarayıcı güvenlik anahtarlarını desteklemiyor
-    otp_required: Güvenlik anahtarlarını kullanmak için lütfen önce iki adımlı kimlik doğrulamayı etkinleştirin.
     registered_on: "%{date} tarihinde kaydoldu"

config/locales/uk.yml

@@ -2096,5 +2096,4 @@ uk:
     nickname_hint: Введіть псевдонім нового ключа безпеки
     not_enabled: Ви ще не активували WebAuthn
     not_supported: Цей браузер не підтримує ключі безпеки
-    otp_required: Для використання ключів безпеки, спочатку увімкніть двофакторну аутентифікацію.
     registered_on: Зареєстровано %{date}

config/locales/vi.yml

@@ -2104,5 +2104,4 @@ vi:
     nickname_hint: Nhập tên mới cho khóa bảo mật của bạn
     not_enabled: Bạn chưa kích hoạt WebAuthn
     not_supported: Trình duyệt của bạn không hỗ trợ khóa bảo mật
-    otp_required: Để dùng khóa bảo mật, trước tiên hãy kích hoạt xác thực 2 bước.
     registered_on: Đăng ký vào %{date}

config/locales/zh-CN.yml

@@ -2104,5 +2104,4 @@ zh-CN:
     nickname_hint: 输入你的新安全密钥的昵称
     not_enabled: 你尚未启用WebAuthn
     not_supported: 此浏览器不支持安全密钥
-    otp_required: 要使用安全密钥，请先启用双因素认证。
     registered_on: 注册于 %{date}

config/locales/zh-HK.yml

@@ -1841,5 +1841,4 @@ zh-HK:
     nickname_hint: 請為你的安全密鑰裝置命名
     not_enabled: 你還未啟用 WebAuthn
     not_supported: 這個瀏覽器並不支援安全密鑰裝置
-    otp_required: 請開啟雙重認證以使用安全密鑰裝置
     registered_on: 在 %{date} 注冊

config/locales/zh-TW.yml

@@ -2110,5 +2110,4 @@ zh-TW:
     nickname_hint: 輸入您新安全金鑰的暱稱
     not_enabled: 您尚未啟用 WebAuthn
     not_supported: 此瀏覽器並不支援安全金鑰
-    otp_required: 請先啟用兩階段驗證以使用安全金鑰。
     registered_on: 註冊於 %{date}

config/routes/settings.rb

@@ -39,7 +39,7 @@ namespace :settings do
   end
 
   scope module: :two_factor_authentication do
-    resource :otp_authentication, only: [:show, :create], controller: :otp_authentication
+    resource :otp_authentication, only: [:show, :create, :destroy], controller: :otp_authentication
 
     resources :webauthn_credentials, only: [:index, :new, :create, :destroy], path: 'security_keys' do
       collection do

spec/controllers/auth/sessions_controller_spec.rb

@@ -349,9 +349,9 @@ RSpec.describe Auth::SessionsController do
         end
       end
 
-      context 'with WebAuthn and OTP enabled as second factor' do
+      context 'with WebAuthn enabled as second factor' do
         let!(:user) do
-          Fabricate(:user, email: 'x@y.com', password: 'abcdefgh', otp_required_for_login: true, otp_secret: User.generate_otp_secret)
+          Fabricate(:user, email: 'x@y.com', password: 'abcdefgh')
         end
 
         let!(:webauthn_credential) do

spec/controllers/settings/two_factor_authentication/otp_authentication_controller_spec.rb

@@ -96,4 +96,26 @@ RSpec.describe Settings::TwoFactorAuthentication::OtpAuthenticationController do
       end
     end
   end
+
+  describe 'GET #destroy' do
+    context 'when signed in' do
+      before do
+        sign_in user, scope: :user
+      end
+
+      it 'redirects to two factor authentication methods list page' do
+        delete :destroy
+
+        expect(response).to redirect_to settings_two_factor_authentication_methods_path
+      end
+    end
+
+    context 'when not signed in' do
+      it 'redirects to login' do
+        delete :destroy
+
+        expect(response).to redirect_to new_user_session_path
+      end
+    end
+  end
 end

spec/controllers/settings/two_factor_authentication/webauthn_credentials_controller_spec.rb

@@ -20,29 +20,10 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
         sign_in user, scope: :user
       end
 
-      context 'when user has otp enabled' do
+      it 'returns http success' do
-        before do
+        get :new
-          user.update(otp_required_for_login: true)
-        end
 
-        it 'returns http success' do
+        expect(response).to have_http_status(200)
-          get :new
-
-          expect(response).to have_http_status(200)
-        end
-      end
-
-      context 'when user does not have otp enabled' do
-        before do
-          user.update(otp_required_for_login: false)
-        end
-
-        it 'requires otp enabled first' do
-          get :new
-
-          expect(response).to redirect_to settings_two_factor_authentication_methods_path
-          expect(flash[:error]).to be_present
-        end
       end
     end
   end
@@ -53,40 +34,21 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
         sign_in user, scope: :user
       end
 
-      context 'when user has otp enabled' do
+      context 'when user has webauthn enabled' do
         before do
-          user.update(otp_required_for_login: true)
+          user.update(webauthn_id: WebAuthn.generate_user_id)
+          add_webauthn_credential(user)
         end
 
-        context 'when user has webauthn enabled' do
+        it 'returns http success' do
-          before do
+          get :index
-            user.update(webauthn_id: WebAuthn.generate_user_id)
-            add_webauthn_credential(user)
-          end
 
-          it 'returns http success' do
+          expect(response).to have_http_status(200)
-            get :index
-
-            expect(response).to have_http_status(200)
-          end
-        end
-
-        context 'when user does not has webauthn enabled' do
-          it 'redirects to 2FA methods list page' do
-            get :index
-
-            expect(response).to redirect_to settings_two_factor_authentication_methods_path
-            expect(flash[:error]).to be_present
-          end
         end
       end
 
-      context 'when user does not have otp enabled' do
+      context 'when user does not has webauthn enabled' do
-        before do
+        it 'redirects to 2FA methods list page' do
-          user.update(otp_required_for_login: false)
-        end
-
-        it 'requires otp enabled first' do
           get :index
 
           expect(response).to redirect_to settings_two_factor_authentication_methods_path
@@ -110,50 +72,53 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
         sign_in user, scope: :user
       end
 
-      context 'when user has otp enabled' do
+      context 'when user has webauthn enabled' do
         before do
-          user.update(otp_required_for_login: true)
+          user.update(webauthn_id: WebAuthn.generate_user_id)
+          add_webauthn_credential(user)
         end
 
-        context 'when user has webauthn enabled' do
+        it 'returns http success' do
-          before do
+          get :options
-            user.update(webauthn_id: WebAuthn.generate_user_id)
-            add_webauthn_credential(user)
-          end
 
-          it 'includes existing credentials in list of excluded credentials', :aggregate_failures do
+          expect(response).to have_http_status(200)
-            expect { get :options }.to_not change(user, :webauthn_id)
-
-            expect(response).to have_http_status(200)
-
-            expect(controller.session[:webauthn_challenge]).to be_present
-
-            excluded_credentials_ids = response.parsed_body['excludeCredentials'].pluck('id')
-            expect(excluded_credentials_ids).to match_array(user.webauthn_credentials.pluck(:external_id))
-          end
         end
 
-        context 'when user does not have webauthn enabled' do
+        it 'stores the challenge on the session' do
-          it 'stores the challenge on the session and sets user webauthn_id', :aggregate_failures do
+          get :options
-            get :options
 
-            expect(response).to have_http_status(200)
+          expect(controller.session[:webauthn_challenge]).to be_present
-            expect(controller.session[:webauthn_challenge]).to be_present
+        end
-            expect(user.reload.webauthn_id).to be_present
+
-          end
+        it 'does not change webauthn_id' do
+          expect { get :options }.to_not change(user, :webauthn_id)
+        end
+
+        it 'includes existing credentials in list of excluded credentials' do
+          get :options
+
+          excluded_credentials_ids = response.parsed_body['excludeCredentials'].pluck('id')
+          expect(excluded_credentials_ids).to match_array(user.webauthn_credentials.pluck(:external_id))
         end
       end
 
-      context 'when user has not enabled otp' do
+      context 'when user does not have webauthn enabled' do
-        before do
+        it 'returns http success' do
-          user.update(otp_required_for_login: false)
-        end
-
-        it 'requires otp enabled first' do
           get :options
 
-          expect(response).to redirect_to settings_two_factor_authentication_methods_path
+          expect(response).to have_http_status(200)
-          expect(flash[:error]).to be_present
+        end
+
+        it 'stores the challenge on the session' do
+          get :options
+
+          expect(controller.session[:webauthn_challenge]).to be_present
+        end
+
+        it 'sets user webauthn_id' do
+          get :options
+
+          expect(user.reload.webauthn_id).to be_present
         end
       end
     end
@@ -183,29 +148,40 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
         sign_in user, scope: :user
       end
 
-      context 'when user has enabled otp' do
+      context 'when user has enabled webauthn' do
         before do
-          user.update(otp_required_for_login: true)
+          user.update(webauthn_id: WebAuthn.generate_user_id)
+          add_webauthn_credential(user)
         end
 
-        context 'when user has enabled webauthn' do
+        context 'when creation succeeds' do
-          before do
+          it 'returns http success' do
-            user.update(webauthn_id: WebAuthn.generate_user_id)
+            controller.session[:webauthn_challenge] = challenge
-            add_webauthn_credential(user)
+
+            post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+
+            expect(response).to have_http_status(200)
           end
 
-          it 'adds a new credential to user credentials and does not change webauthn_id when creation succeeds', :aggregate_failures do
+          it 'adds a new credential to user credentials' do
             controller.session[:webauthn_challenge] = challenge
 
             expect do
               post :create, params: { credential: new_webauthn_credential, nickname: nickname }
             end.to change { user.webauthn_credentials.count }.by(1)
-                                                             .and not_change(user, :webauthn_id)
-
-            expect(response).to have_http_status(200)
           end
 
-          it 'fails when the nickname is already used' do
+          it 'does not change webauthn_id' do
+            controller.session[:webauthn_challenge] = challenge
+
+            expect do
+              post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+            end.to_not change(user, :webauthn_id)
+          end
+        end
+
+        context 'when the nickname is already used' do
+          it 'fails' do
             controller.session[:webauthn_challenge] = challenge
 
             post :create, params: { credential: new_webauthn_credential, nickname: 'USB Key' }
@@ -213,14 +189,19 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
             expect(response).to have_http_status(422)
             expect(flash[:error]).to be_present
           end
+        end
 
-          it 'fails when the credential already exists' do
+        context 'when the credential already exists' do
+          before do
+            user2 = Fabricate(:user)
             public_key_credential = WebAuthn::Credential.from_create(new_webauthn_credential)
             Fabricate(:webauthn_credential,
-                      user_id: Fabricate(:user).id,
+                      user_id: user2.id,
                       external_id: public_key_credential.id,
                       public_key: public_key_credential.public_key)
+          end
 
+          it 'fails' do
             controller.session[:webauthn_challenge] = challenge
 
             post :create, params: { credential: new_webauthn_credential, nickname: nickname }
@@ -230,29 +211,18 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
           end
         end
 
-        context 'when user have not enabled webauthn and creation succeeds' do
+        context 'when user have not enabled webauthn' do
-          it 'creates a webauthn credential' do
+          context 'when creation succeeds' do
-            controller.session[:webauthn_challenge] = challenge
+            it 'creates a webauthn credential' do
+              controller.session[:webauthn_challenge] = challenge
 
-            expect do
+              expect do
-              post :create, params: { credential: new_webauthn_credential, nickname: nickname }
+                post :create, params: { credential: new_webauthn_credential, nickname: nickname }
-            end.to change { user.webauthn_credentials.count }.by(1)
+              end.to change { user.webauthn_credentials.count }.by(1)
+            end
           end
         end
       end
-
-      context 'when user has not enabled otp' do
-        before do
-          user.update(otp_required_for_login: false)
-        end
-
-        it 'requires otp enabled first' do
-          post :create, params: { credential: new_webauthn_credential, nickname: nickname }
-
-          expect(response).to redirect_to settings_two_factor_authentication_methods_path
-          expect(flash[:error]).to be_present
-        end
-      end
     end
 
     context 'when not signed in' do
@@ -270,39 +240,30 @@ RSpec.describe Settings::TwoFactorAuthentication::WebauthnCredentialsController
         sign_in user, scope: :user
       end
 
-      context 'when user has otp enabled' do
+      context 'when user has webauthn enabled' do
         before do
-          user.update(otp_required_for_login: true)
+          user.update(webauthn_id: WebAuthn.generate_user_id)
+          add_webauthn_credential(user)
         end
 
-        context 'when user has webauthn enabled' do
+        context 'when deletion succeeds' do
-          before do
+          it 'redirects to 2FA methods list and shows flash success' do
-            user.update(webauthn_id: WebAuthn.generate_user_id)
+            delete :destroy, params: { id: user.webauthn_credentials.take.id }
-            add_webauthn_credential(user)
-          end
-
-          it 'redirects to 2FA methods list and shows flash success and deletes the credential when deletion succeeds', :aggregate_failures do
-            expect do
-              delete :destroy, params: { id: user.webauthn_credentials.take.id }
-            end.to change { user.webauthn_credentials.count }.by(-1)
 
             expect(response).to redirect_to settings_two_factor_authentication_methods_path
             expect(flash[:success]).to be_present
           end
-        end
 
-        context 'when user does not have webauthn enabled' do
+          it 'deletes the credential' do
-          it 'redirects to 2FA methods list and shows flash error' do
+            expect do
-            delete :destroy, params: { id: '1' }
+              delete :destroy, params: { id: user.webauthn_credentials.take.id }
-
+            end.to change { user.webauthn_credentials.count }.by(-1)
-            expect(response).to redirect_to settings_two_factor_authentication_methods_path
-            expect(flash[:error]).to be_present
           end
         end
       end
 
-      context 'when user does not have otp enabled' do
+      context 'when user does not have webauthn enabled' do
-        it 'requires otp enabled first' do
+        it 'redirects to 2FA methods list and shows flash error' do
           delete :destroy, params: { id: '1' }
 
           expect(response).to redirect_to settings_two_factor_authentication_methods_path

spec/models/user_spec.rb

@@ -235,6 +235,52 @@ RSpec.describe User do
     end
   end
 
+  describe '#disable_otp_login!' do
+    describe 'when user has OTP enabled' do
+      let(:user) do
+        Fabricate(
+          :user,
+          otp_required_for_login: true,
+          otp_secret: 'oldotpcode'
+        )
+      end
+
+      it 'saves false for otp_required_for_login' do
+        user.disable_otp_login!
+
+        expect(user.reload.otp_required_for_login).to be false
+      end
+
+      it 'saves nil for otp_secret' do
+        user.disable_otp_login!
+
+        expect(user.reload.otp_secret).to be_nil
+      end
+    end
+
+    describe 'when user does not have OTP enabled' do
+      let(:user) do
+        Fabricate(
+          :user,
+          otp_required_for_login: false,
+          otp_secret: nil
+        )
+      end
+
+      it 'does not change for otp_required_for_login' do
+        user.disable_otp_login!
+
+        expect(user.reload.otp_required_for_login).to be false
+      end
+
+      it 'does not change for otp_secret' do
+        user.disable_otp_login!
+
+        expect(user.reload.otp_secret).to be_nil
+      end
+    end
+  end
+
   describe '#disable_two_factor!' do
     it 'saves false for otp_required_for_login' do
       user = Fabricate.build(:user, otp_required_for_login: true)

spec/requests/settings/two_factor_authentication_methods_spec.rb

@@ -13,23 +13,4 @@ RSpec.describe 'Settings TwoFactorAuthenticationMethods' do
       end
     end
   end
-
-  context 'when signed in' do
-    let(:user) { Fabricate(:user) }
-
-    before { sign_in user }
-
-    describe 'GET to /settings/two_factor_authentication_methods' do
-      describe 'when user has not enabled otp' do
-        before { user.update(otp_required_for_login: false) }
-
-        it 'redirects to enable otp' do
-          get settings_two_factor_authentication_methods_path
-
-          expect(response)
-            .to redirect_to(settings_otp_authentication_path)
-        end
-      end
-    end
-  end
 end

spec/system/admin/users/two_factor_authentications_spec.rb

@@ -26,15 +26,14 @@ RSpec.describe 'Admin Users TwoFactorAuthentications' do
       end
     end
 
-    context 'when user has OTP and WebAuthn enabled' do
+    context 'when user has WebAuthn enabled' do
-      before { user.update(otp_required_for_login: true, webauthn_id: WebAuthn.generate_user_id) }
+      before { user.update(webauthn_id: WebAuthn.generate_user_id) }
 
       it 'disables OTP and webauthn and redirects to admin account page' do
         visit admin_account_path(user.account.id)
 
         expect { disable_two_factor }
-          .to change { user.reload.otp_enabled? }.to(false)
+          .to change { user.reload.webauthn_enabled? }.to(false)
-          .and(change { user.reload.webauthn_enabled? }.to(false))
         expect(page)
           .to have_title(user.account.pretty_acct)
       end