1 files changed, 2 insertions, 30 deletions

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 65677a3dd3c..758441682c8 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -5,8 +5,9 @@ class SessionsController < Devise::SessionsController
   skip_before_action :check_2fa_requirement, only: [:destroy]
 
   prepend_before_action :check_initial_setup, only: [:new]
-  prepend_before_action :authenticate_with_two_factor, only: [:create]
   prepend_before_action :store_redirect_path, only: [:new]
+  prepend_before_action :two_factor_authentication,
+    if: :two_factor_enabled?, only: [:create]
 
   before_action :auto_sign_in_with_provider, only: [:new]
   before_action :load_recaptcha
@@ -55,14 +56,6 @@ class SessionsController < Devise::SessionsController
     params.require(:user).permit(:login, :password, :remember_me, :otp_attempt)
   end
 
-  def find_user
-    if user_params[:login]
-      User.by_login(user_params[:login])
-    elsif user_params[:otp_attempt] && session[:otp_user_id]
-      User.find(session[:otp_user_id])
-    end
-  end
-
   def store_redirect_path
     redirect_path =
       if request.referer.present? && (params['redirect_to_referer'] == 'yes')
@@ -83,27 +76,6 @@ class SessionsController < Devise::SessionsController
     end
   end
 
-  def authenticate_with_two_factor
-    user = self.resource = find_user
-
-    return unless user && user.two_factor_enabled?
-
-    if user_params[:otp_attempt].present? && session[:otp_user_id]
-      if valid_otp_attempt?(user)
-        # Remove any lingering user data from login
-        session.delete(:otp_user_id)
-
-        sign_in(user) and return
-      else
-        flash.now[:alert] = 'Invalid two-factor code.'
-        render :two_factor and return
-      end
-    else
-      if user && user.valid_password?(user_params[:password])
-        prompt_for_two_factor(user)
-      end
-    end
-  end
 
   def auto_sign_in_with_provider
     provider = Gitlab.config.omniauth.auto_sign_in_with_provider