2FA activation: Prevent from deadlock, please

No tech details needed.

→ 2FA should be secured against unwanted activation.
Current situation can lead to a (temp) dead-end. New users would give up here.

Why?
Most projects I know enforce initial test of second factor before 2FA is activated.
I have (well, I had) 2 instances that went into 2FA deadlock after install while setting all the options.
2FA activated w/o setting it up: Suddenly admin cannot save config w/o 2FA.
It´s not relevant why 2FA activated w/o warning or “check on init”. Might be by mistake, might be some mislead browser add-on (autofill, NoScript…). It does not matter.

→ 2FA should not be able to be activated without proof of second factor.

Note: Yes, there is a solution for this situation by editing config files. But this is not what this project deserves.

Hi!

Not sure I understood the issue here =\

You can always disable the 2FA from the beginning using environment variables.

Please, can you elaborate more your issue?

Thanks!

Imagine this:
Some admin wants to check RC out.
Easy installation using How-To, shell and stuff.
And directly after GUI is up: Closes shell, uses GUI. Only.

During configuration in GUI, after adding users, SMTP access and stuff → GUI asks for 2nd factor.
Under unknown circumstances, 2FA is activated.
This should NEVER be possible without a QR-code on screen and confirmation by entering a correct OTP (depending on 2FA method).

It does not matter that there are envvars.
Yes, we COULD fix it. But this situation must not occur in the first place.
Yes, someone who wants to run an RC instance SHOULD be skilled enough to fix it.
Yes, it´s a minor issue for you, me and many more peeps around.

But: This unnecessarily existing deadlock makes RC as a whole feel… well… buggy.

And after I ran into this issue with both docker (proxmox) and on a fresh Ubuntu 22 (VM), there was only one option: Kill VM, try another project. By the way: Yes, I could fix it using shell and editor. But I cannot trust an application that behaves unpredictable at critical fuctions.

How many interested people might have run into this issue and dropped RC from wishlist within minutes?
Why don´t make sure that 2FA cannot be activated without testing first. Why don´t put a warning on screen (“You are about to activate 2FA. Did you prepare your 2nd factor? YES, GO ON / NO, GO BACK”)?

Even if my writing in English isn´t too fine, you will understand :slight_smile: