Flash message for required multifactor authentication when using single MFA method

[janko]

When requiring multifactor authentication for a route and using a single MFA method, the request will redirect to /multifactor-auth, then redirect to e.g. /otp-auth. However, on the second redirect, the original error flash message telling the user they need to authenticate with an additional factor is lost.

Are you open to a pull request for keeping the flash message? My first idea was to check if there is anything in flash[:error] in /multifactor-auth, and then set_redirect_error_flash to that value. However, I'm not sure whether this will work with internal_request, where flash is a string and not a hash. Another idea was to modify two_factor_auth_required_redirect to redirect straight to the auth page of the specific MFA method, using the logic in /multifactor-auth.

What are your thoughts on this?

[jeremyevans]

If you can reuse the logic easily, it seems better to modify the code so there is only one redirect and not two. Then you don't need to worry about the flash message.

[janko]

It appears that in Roda, an unread flash message is forwarded to the 2nd redirect, while in Rails it's not. Since this issue is due to a difference between Roda's flash plugin and Rails' flash implementation, I will try to fix this in rodauth-rails.

[janko]

Just to follow-up, it was indeed a bug in rodauth-rails. Rails behaves the same as Roda in terms of keeping flash messages on consecutive redirects, but rodauth-rails was reading the flash before each request for some reason. I fixed it in janko/rodauth-rails@cea7065.