FIX: Disable security keys at same time as TOTP 2FA (PR #10144)

GitHub

Added & fixed tests

Is this check necessary? What if the DB is in a state where the security keys are already gone, should we raise an error then?

That’s what this is, right? Raise an error if there’s nothing to delete.

Sorry, I thought the issue was that the security keys were not being deleted when this happens?

This pull request has been mentioned on Discourse Meta. There might be relevant details there:

https://meta.discourse.org/t/turn-off-two-factor-authentication/156724/4

The issue was that if there were no TOTP factors but were security keys, the “Remove 2FA” button didn’t do anything and generated an error. I need to also fix the client side, actually.

Thanks I was confused with another issue!

Should be good to merge when the client side is done.

Added permission check for moderators.

This pull request has been mentioned on Discourse Meta. There might be relevant details there: