ENH Disable temporary sudo mode after login

behat.yml

@@ -15,6 +15,8 @@ default:
         - SilverStripe\Framework\Tests\Behaviour\CmsUiContext
         - SilverStripe\BehatExtension\Context\BasicContext
         - SilverStripe\BehatExtension\Context\EmailContext
+        - SilverStripe\BehatExtension\Context\FixtureContext
+            - '%paths.modules.silverstripe-mfa%/tests/Behat/features/files/'
         - SilverStripe\MFA\Tests\Behat\Context\LoginContext
         - SilverStripe\CMS\Tests\Behaviour\ThemeContext
   extensions:

composer.json

@@ -36,6 +36,7 @@
         "phpunit/phpunit": "^9.6",
         "squizlabs/php_codesniffer": "^3",
         "silverstripe/documentation-lint": "^1",
+        "silverstripe/frameworktest": "^1",
         "silverstripe/standards": "^1",
         "phpstan/extension-installer": "^1.3"
     },

src/Authenticator/LoginHandler.php

@@ -491,6 +491,13 @@ public function redirectAfterSuccessfulLogin(): HTTPResponse
         }
         $request->getSession()->clear(static::SESSION_KEY . '.mustLogin');
 
+        // Deactivate sudo mode that was activated in doLogin()
+        $service = $this->getSudoModeService();
+        // Check if the service has a deactivate method, because it is not defined on the interface
+        if (method_exists($service, 'deactivate')) {
+            call_user_func([$service, 'deactivate'], $this->getRequest()->getSession());
+        }
+
         // Delegate to parent logic
         return parent::redirectAfterSuccessfulLogin();
     }

tests/Behat/features/mfa-enabled.feature

@@ -4,7 +4,8 @@ Feature: MFA is enabled for the site
   So that my site will be more secure
 
   Background:
-    Given I am logged in with "ADMIN" permissions
+    Given I add an extension "SilverStripe\FrameworkTest\SudoMode\ActivateSudoModeServiceExtension" to the "SilverStripe\Security\SudoMode\SudoModeService" class
+    And I am logged in with "ADMIN" permissions
     And I go to "/admin"
     Then I should see the CMS