From 63af30a38e40b336bb3c259639abaffcf036e2f0 Mon Sep 17 00:00:00 2001
From: hamid ghaf <hamid@hashicorp.com>
Date: Tue, 12 Apr 2022 12:26:37 -0700
Subject: [PATCH 1/2] forwarding requests subjected to Login MFA to the active
 node

---
 vault/request_handling.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/vault/request_handling.go b/vault/request_handling.go
index b013d654a764..e9ebef5fef03 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1506,6 +1506,12 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 					}
 				}
 			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
+				// two-phase login MFA requests should be forwarded
+				// to the active node, as the validation should only
+				// happen in that node
+				if c.perfStandby {
+					return nil, nil, logical.ErrPerfStandbyPleaseForward
+				}
 				mfaRequestID, err := uuid.GenerateUUID()
 				if err != nil {
 					return nil, nil, err

From 9b2c279feb5815dd202bed9128691c7c580f7f15 Mon Sep 17 00:00:00 2001
From: hamid ghaf <hamid@hashicorp.com>
Date: Tue, 12 Apr 2022 12:36:37 -0700
Subject: [PATCH 2/2] CL, and making fmt happy

---
 changelog/15009.txt           | 3 +++
 sdk/framework/backend_test.go | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 changelog/15009.txt

diff --git a/changelog/15009.txt b/changelog/15009.txt
new file mode 100644
index 000000000000..aa2fd741c55b
--- /dev/null
+++ b/changelog/15009.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: forward requests subject to login MFA from perfStandby to Active node
+```
diff --git a/sdk/framework/backend_test.go b/sdk/framework/backend_test.go
index 0e4307140297..c563a152b605 100644
--- a/sdk/framework/backend_test.go
+++ b/sdk/framework/backend_test.go
@@ -2,8 +2,6 @@ package framework
 
 import (
 	"context"
-	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/stretchr/testify/require"
 	"net/http"
 	"reflect"
 	"strings"
@@ -11,8 +9,10 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
 )
 
 func BenchmarkBackendRoute(b *testing.B) {