Skip 2FA prompt for token-based auth #781
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0xnmn
force-pushed
the
naman/skip-2fa-for-token-auth
branch
from
bceb752 to
117e0b9
Compare
0xnmn
force-pushed
the
naman/skip-2fa-for-token-auth
branch
from
117e0b9 to
b0b85e4
Compare
Contributor
Author
|
@cursor review |
0xnmn
force-pushed
the
naman/skip-2fa-for-token-auth
branch
from
b0b85e4 to
c14c0e7
Compare
Contributor
Author
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
Contributor
Author
|
@cursor review |
0xnmn
force-pushed
the
naman/skip-2fa-for-token-auth
branch
from
c14c0e7 to
1e18ebb
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON, but it could not run because Privacy Mode (Legacy) is turned on. To enable Bugbot Autofix, switch your privacy mode in the Cursor dashboard.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON, but it could not run because Privacy Mode (Legacy) is turned on. To enable Bugbot Autofix, switch your privacy mode in the Cursor dashboard.
0xnmn
force-pushed
the
naman/skip-2fa-for-token-auth
branch
2 times, most recently
from
99a0852 to
72e048b
Compare
Token-based auth (RAILWAY_TOKEN, RAILWAY_API_TOKEN) is non-interactive and bypasses 2FA on the backend anyway. Only prompt for 2FA when using session-based auth from `railway login`. https://discord.com/channels/713503345364697088/1467957064595800156
0xnmn
force-pushed
the
naman/skip-2fa-for-token-auth
branch
from
72e048b to
1a42d19
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Token-based auth (RAILWAY_TOKEN, RAILWAY_API_TOKEN) is non-interactive and bypasses 2FA on the backend. Only prompt for 2FA when using session-based auth from railway login.
https://discord.com/channels/713503345364697088/1467957064595800156
Note
Medium Risk
Touches authentication/2FA behavior across multiple destructive commands (project/environment/function/volume delete), so incorrect branching could weaken safeguards or break CI/non-interactive usage.
Overview
Deletion flows now share a centralized 2FA gate via new
util::two_factor::validate_two_factor_if_enabled, and the function delete command gains--2fa-codesupport.The new helper skips 2FA entirely when using
RAILWAY_TOKEN/RAILWAY_API_TOKEN(token auth), and otherwise prompts/accepts a provided code for session auth; the oldTwoFactorRequiresInteractiveerror is removed in favor of a direct non-interactive bail message.Written by Cursor Bugbot for commit 1a42d19. This will update automatically on new commits. Configure here.