2 files changed, 26 insertions, 3 deletions

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index b9757143119..d4ff0d97561 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,5 +1,11 @@
 class SessionsController < Devise::SessionsController
-  prepend_before_action :authenticate_with_two_factor, only: :create
+  prepend_before_action :authenticate_with_two_factor, only: [:create]
+
+  # This action comes from DeviseController, but because we call `sign_in`
+  # manually inside `authenticate_with_two_factor`, not skipping this action
+  # would cause a "You are already signed in." error message to be shown upon
+  # successful login.
+  skip_before_action :require_no_authentication, only: [:create]
 
   def new
     redirect_path =
@@ -61,7 +67,7 @@ class SessionsController < Devise::SessionsController
         # Remove any lingering user data from login
         session.delete(:otp_user_id)
 
-        sign_in(user)
+        sign_in(user) and return
       else
         flash.now[:alert] = 'Invalid two-factor code.'
         render :two_factor and return
diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index 61066e7e923..61defb8a333 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -15,6 +15,11 @@ feature 'Login' do
         click_button 'Verify code'
       end
 
+      it 'does not show a "You are already signed in." error message' do
+        enter_code(user.current_otp)
+        expect(page).not_to have_content('You are already signed in.')
+      end
+
       context 'using one-time code' do
         it 'allows login with valid code' do
           enter_code(user.current_otp)
@@ -66,7 +71,7 @@ feature 'Login' do
             expect(user.reload.otp_backup_codes.size).to eq 9
 
             enter_code(code)
-            expect(page).to have_content('Invalid two-factor code')
+            expect(page).to have_content('Invalid two-factor code.')
           end
         end
       end
@@ -80,5 +85,17 @@ feature 'Login' do
       login_with(user)
       expect(current_path).to eq root_path
     end
+
+    it 'does not show a "You are already signed in." error message' do
+      login_with(user)
+      expect(page).not_to have_content('You are already signed in.')
+    end
+
+    it 'blocks invalid login' do
+      user = create(:user, password: 'not-the-default')
+
+      login_with(user)
+      expect(page).to have_content('Invalid email or password.')
+    end
   end
 end