• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

kobotoolbox / kpi / 29029441589 / 3
81%
master: 76%

Build:
Build:
LAST BUILD BRANCH: hugo/dev-2094-harden-lrm-0024-qpaths
DEFAULT BRANCH: master
Ran 09 Jul 2026 03:31PM UTC
Files 889
Run time 53s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

09 Jul 2026 03:25PM UTC coverage: 49.593% (+5.2%) from 44.421%
29029441589.3

push

github

web-flow
fix(mfa): enforce 2FA when an authenticated user logs in as another account DEV-2111 (#7223)

### đŸ“Ŗ Summary

Signing in with a second account's credentials while already logged in
now signs you into that account (prompting for 2FA when enabled) instead
of silently ignoring the new credentials.

### 📖 Description

Previously, if you were already logged in and submitted a different
account's credentials on the login form, the new login was silently
discarded. You stayed logged in as your original account and never saw a
2FA prompt. Now the stale session is dropped so the new login completes
normally, including its two-factor challenge.

### 💭 Notes

- Root cause: `ACCOUNT_AUTHENTICATED_LOGIN_REDIRECTS` is disabled, so an
already-authenticated user can POST the login form for a *different*
account. When that account has MFA enabled, allauth defers the login to
its 2FA stage, but the `mfa_authenticate` view redirects any
already-authenticated request away (allauth's `login_stage_required`
decorator), silently abandoning the pending login and leaving the
original user signed in. `MfaLoginView.form_valid` now logs the current
user out (only when the submitted credentials resolve to a different
account, and only after they validate) so the new login and its 2FA
challenge run on a clean, anonymous session.
- Two regression tests added in
`kobo/apps/accounts/mfa/tests/test_login.py`: one reproducing the bounce
(asserts the 2FA challenge is reached and the stale session is dropped),
and one guarding that a *failed* login attempt does not drop the
existing session.

### 👀 Preview steps

1. â„šī¸ have two accounts: a regular one, and a superuser with 2FA (TOTP)
enabled
2. log in as the regular (non-superuser) account
3. navigate to `/admin/` — you get the login screen
4. enter the superuser's username and password
5. 🔴 [on main] you're bounced straight to the projects list, still
logged in as the regular user, with no 2FA prompt
6. đŸŸĸ [on PR] you're taken to the 2FA ... (continued)

4407 of 12465 branches covered (35.35%)

18380 of 37062 relevant lines covered (49.59%)

0.5 hits per line

Source Files on job 29029441589.3
  • Tree
  • List 889
  • Changed 88
  • Source Changed 0
  • Coverage Changed 88
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Build 29029441589
  • 463d4163 on github
  • Prev Job for on release/2.026.27 (#29028964036.2)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc