From d625f4e9fe78a69be0d481c20cba33b6dd88ef1a Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 27 Jul 2022 19:03:35 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-2-stable-ee

---
 config/initializers/doorkeeper.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'config/initializers')

diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 6ad8b02bfea..761904009bb 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -24,7 +24,11 @@ Doorkeeper.configure do
 
   resource_owner_from_credentials do |routes|
     user = Gitlab::Auth.find_with_user_password(params[:username], params[:password], increment_failed_attempts: true)
-    user unless user.try(:two_factor_enabled?)
+
+    next unless user
+    next if user.two_factor_enabled? || Gitlab::Auth::TwoFactorAuthVerifier.new(user).two_factor_authentication_enforced?
+
+    user
   end
 
   # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
-- 
cgit v1.2.3