Closed Bug 1205680 Opened 4 years ago Closed 4 years ago

Login page header displays outstanding request count prior to entering 2FA token

Categories

(bugzilla.mozilla.org :: General, defect)

Production
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: emorley, Unassigned)

References

Details

1) Enable TOTP 2FA
2) Ensure you have at least one outstanding request targeted at you (eg needinfo)
3) Log out
4) Enter your username + password to start the login process
5) At the "Please enter your verification code from your TOTP application" page, look at the header

Expected:
The header does not display the red circle that shows the number of outstanding requests for that user. (Also, but to a lesser extent, it probably shouldn't display the logged in user email address and navigation menu that links to prefs etc)

Actual:
The outstanding request count is shown, as is the logged in user email/navigation menu.


Whilst none of this information is sensitive [1] - it gives the impression that 2FA isn't working, which is disconcerting and doesn't lead to confidence in the system :-)


[1] the outstanding request count doesn't really add any value - all it would let someone do is guess number of outstanding requests on bugs that are private, by comparing to the count returned from unauthenticated request.cgi calls
this is already fixed as part of bug 1199087
Depends on: 1199087
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.