On SMS setup and authentication, sms_code is added to the list of methods the session is authenticated by. However, when removing all multifactor authentication methods, Rodauth is removing sms_codes method, which will cause the account authenticated via SMS to stay SMS authenticated. We fix that by removing sms_code method instead.
The method deletion from session when removing all MFA methods wasn't tested for any MFA method (except implicitly for recovery codes), so we add the missing tests.
On SMS setup and authentication,
sms_code
is added to the list of methods the session is authenticated by. However, when removing all multifactor authentication methods, Rodauth is removingsms_codes
method, which will cause the account authenticated via SMS to stay SMS authenticated. We fix that by removingsms_code
method instead.The method deletion from session when removing all MFA methods wasn't tested for any MFA method (except implicitly for recovery codes), so we add the missing tests.