Use :database_authenticatable strategy to check password for OTP user

This:
* makes sure that after_database_authentication is called for users with
enabled 2fa.
* handles paranoid mode correctly

app/controllers/sessions_controller.rb

@@ -19,14 +19,14 @@ class SessionsController < Devise::SessionsController
 
   def authenticate_with_2fa
     self.resource = find_user
-    u = find_user
 
-    return true unless u&.otp_required_for_login?
+    return true unless resource&.otp_required_for_login?
 
     if params[:user][:otp_attempt].present? && session[:otp_user_id]
-      authenticate_with_two_factor_via_otp(u)
-    elsif u&.valid_password?(params[:user][:password])
-      prompt_for_two_factor(u)
+      authenticate_with_two_factor_via_otp(resource)
+    else
+      strategy = Warden::Strategies[:database_authenticatable].new(warden.env, :user)
+      prompt_for_two_factor(strategy.user) if strategy.valid? && strategy._run!.successful?
     end
   end
 

config/initializers/devise.rb

@@ -15,11 +15,6 @@ end
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
-  config.warden do |manager|
-    manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
-    manager.default_strategies(scope: :user).unshift :two_factor_backupable
-  end
-
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.