From ee0d822517154878a2ad33be66b820c6b68d077b Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Sat, 17 Jul 2021 07:39:51 +0000
Subject: [PATCH] Merged r21069 from trunk to 4.2-stable (#35417).

git-svn-id: http://svn.redmine.org/redmine/branches/4.2-stable@21070 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/twofa_controller.rb | 2 ++
 app/models/user.rb                  | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index 058388907..87f65e826 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -47,6 +47,8 @@ class TwofaController < ApplicationController
 
   def activate
     if @twofa.confirm_pairing!(params[:twofa_code].to_s)
+      # The session token was destroyed by the twofa pairing, generate a new one
+      session[:tk] = @user.generate_session_token
       flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path)
       redirect_to my_account_path
     else
diff --git a/app/models/user.rb b/app/models/user.rb
index b25bab926..a2d2e61e6 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -916,7 +916,7 @@ class User < Principal
   # This helps to keep the account secure in case the associated email account
   # was compromised.
   def destroy_tokens
-    if saved_change_to_hashed_password? || (saved_change_to_status? && !active?)
+    if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) || (saved_change_to_twofa_scheme? && twofa_scheme.present?)
       tokens = ['recovery', 'autologin', 'session']
       Token.where(:user_id => id, :action => tokens).delete_all
     end