From 4770ce8cd310d682014dc7d1956cc107909ac15f Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 1 Jul 2018 09:10:00 +0100
Subject: [PATCH] Wipe U2F keys too when disabling 2FA

---
 actions.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/actions.go b/actions.go
index f805d779..ff9dba47 100644
--- a/actions.go
+++ b/actions.go
@@ -320,6 +320,14 @@ func (s *AccountService) disable2FA(ctx context.Context, tx TX, user *User) erro
 		return newBackendError(err)
 	}
 
+	// Disable U2F.
+	if len(user.U2FRegistrations) > 0 {
+		user.U2FRegistrations = nil
+		if err := tx.UpdateUser(ctx, user); err != nil {
+			return newBackendError(err)
+		}
+	}
+
 	// Wipe all app-specific passwords.
 	for _, asp := range user.AppSpecificPasswords {
 		if err := tx.DeleteApplicationSpecificPassword(ctx, user, asp.ID); err != nil {
-- 
GitLab