From 446482da7534e0cdaa7ccaa55129806d8557509f Mon Sep 17 00:00:00 2001
From: Justin Giancola <justin.giancola@gmail.com>
Date: Tue, 11 May 2021 20:46:59 +0000
Subject: [PATCH] Don't allow bypassing auth with non-json/html format

---
 lib/two_factor_authentication/controllers/helpers.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/two_factor_authentication/controllers/helpers.rb b/lib/two_factor_authentication/controllers/helpers.rb
index 64e8377c..2a99e648 100644
--- a/lib/two_factor_authentication/controllers/helpers.rb
+++ b/lib/two_factor_authentication/controllers/helpers.rb
@@ -27,6 +27,8 @@ def handle_failed_second_factor(scope)
           elsif request.format.json?
             session["#{scope}_return_to"] = root_path(format: :html)
             render json: { redirect_to: two_factor_authentication_path_for(scope) }, status: :unauthorized
+          else
+            head :unauthorized
           end
         else
           head :unauthorized