From 5602dc4418d4c5bc3e8af4e0eaec22f7cf5699dd Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Sun, 16 Jun 2019 04:48:56 +0200
Subject: [PATCH] Use username parameter first if present

this makes sure we don't use an old otp_user_id from an old session

closes #8031
---
 Changelog.md                           | 1 +
 app/controllers/sessions_controller.rb | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 312916363..883529eba 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -5,6 +5,7 @@
 
 ## Bug fixes
 * Improve handling of mixed case hostnames while fetching OpenGraph data [#8021](https://github.com/diaspora/diaspora/pull/8021)
+* Fix "remember me" with two factor authentication enabled [#8031](https://github.com/diaspora/diaspora/pull/8031)
 
 ## Features
 * Add line mentioning diaspora\* on the splash page [#7966](https://github.com/diaspora/diaspora/pull/7966)
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index fc3aa97b3..e679c85a4 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -12,9 +12,9 @@ class SessionsController < Devise::SessionsController
   # rubocop:enable Rails/LexicallyScopedActionFilter
 
   def find_user
-    return User.find(session[:otp_user_id]) if session[:otp_user_id]
+    return User.find_for_authentication(username: params[:user][:username]) if params[:user][:username]
 
-    User.find_for_authentication(username: params[:user][:username]) if params[:user][:username]
+    User.find(session[:otp_user_id]) if session[:otp_user_id]
   end
 
   def authenticate_with_2fa