diff --git a/src/Api/Auth/Controllers/TwoFactorController.cs b/src/Api/Auth/Controllers/TwoFactorController.cs
index 96b64f16fc..4155489daa 100644
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@@ -409,21 +409,6 @@ public class TwoFactorController : Controller
return response;
}
- ///
- /// To be removed when the feature flag pm-17128-recovery-code-login is removed PM-18175.
- ///
- [Obsolete("Two Factor recovery is handled in the TwoFactorAuthenticationValidator.")]
- [HttpPost("recover")]
- [AllowAnonymous]
- public async Task PostRecover([FromBody] TwoFactorRecoveryRequestModel model)
- {
- if (!await _userService.RecoverTwoFactorAsync(model.Email, model.MasterPasswordHash, model.RecoveryCode))
- {
- await Task.Delay(2000);
- throw new BadRequestException(string.Empty, "Invalid information. Try again.");
- }
- }
-
[Obsolete("Leaving this for backwards compatibility on clients")]
[HttpGet("get-device-verification-settings")]
public Task GetDeviceVerificationSettings()
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 39bd3fea5d..352daee862 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -121,7 +121,6 @@ public static class FeatureFlagKeys
public const string BrowserExtensionLoginApproval = "pm-14938-browser-extension-login-approvals";
public const string SetInitialPasswordRefactor = "pm-16117-set-initial-password-refactor";
public const string ChangeExistingPasswordRefactor = "pm-16117-change-existing-password-refactor";
- public const string RecoveryCodeLogin = "pm-17128-recovery-code-login";
public const string Otp6Digits = "pm-18612-otp-6-digits";
public const string FailedTwoFactorEmail = "pm-24425-send-2fa-failed-email";
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index 8457a9c128..ef602be93a 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -90,9 +90,6 @@ public interface IUserService
void SetTwoFactorProvider(User user, TwoFactorProviderType type, bool setEnabled = true);
- [Obsolete("To be removed when the feature flag pm-17128-recovery-code-login is removed PM-18175.")]
- Task RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode);
-
///
/// This method is used by the TwoFactorAuthenticationValidator to recover two
/// factor for a user. This allows users to be logged in after a successful recovery
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 0da565c4ba..16e298d177 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -865,39 +865,6 @@ public class UserService : UserManager, IUserService
}
}
- ///
- /// To be removed when the feature flag pm-17128-recovery-code-login is removed PM-18175.
- ///
- [Obsolete("Two Factor recovery is handled in the TwoFactorAuthenticationValidator.")]
- public async Task RecoverTwoFactorAsync(string email, string secret, string recoveryCode)
- {
- var user = await _userRepository.GetByEmailAsync(email);
- if (user == null)
- {
- // No user exists. Do we want to send an email telling them this in the future?
- return false;
- }
-
- if (!await VerifySecretAsync(user, secret))
- {
- return false;
- }
-
- if (!CoreHelpers.FixedTimeEquals(user.TwoFactorRecoveryCode, recoveryCode))
- {
- return false;
- }
-
- user.TwoFactorProviders = null;
- user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false);
- await SaveUserAsync(user);
- await _mailService.SendRecoverTwoFactorEmail(user.Email, DateTime.UtcNow, _currentContext.IpAddress);
- await _eventService.LogUserEventAsync(user.Id, EventType.User_Recovered2fa);
- await CheckPoliciesOnTwoFactorRemovalAsync(user);
-
- return true;
- }
-
public async Task RecoverTwoFactorAsync(User user, string recoveryCode)
{
if (!CoreHelpers.FixedTimeEquals(