Redirect away from two factor entry page if no target user is set in session

app/controllers/user/sessions_controller.rb

@@ -27,6 +27,11 @@ class User::SessionsController < Devise::SessionsController
   end
 
   def two_factor_entry
+    unless session.has_key? :user_sign_in_uid
+      redirect_to root_url
+      return
+    end
+
     self.resource = User.find(session[:user_sign_in_uid])
     render 'auth/two_factor_authentication'
   end

spec/controllers/user/sessions_controller_spec.rb

@@ -0,0 +1,14 @@
+require 'rails_helper'
+
+describe User::SessionsController do
+  before do
+    @request.env["devise.mapping"] = Devise.mappings[:user]
+  end
+
+  describe "#two_factor_entry" do
+    subject { get :two_factor_entry }
+    it "redirects back to the home page if no sign in target is set" do
+      expect(subject).to redirect_to :root
+    end
+  end
+end